diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 6dbc487f58..d3f5beecbb 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -9,6 +9,7 @@
       "build_output_subfolder": "mdop-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -25,6 +26,7 @@
       "build_output_subfolder": "windows-manage-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -41,6 +43,7 @@
       "build_output_subfolder": "smb-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -57,6 +60,7 @@
       "build_output_subfolder": "surface-hub-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -73,6 +77,7 @@
       "build_output_subfolder": "microsoft-edge-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -89,6 +94,7 @@
       "build_output_subfolder": "win-development-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -105,6 +111,7 @@
       "build_output_subfolder": "windows-plan-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -121,6 +128,7 @@
       "build_output_subfolder": "win-client-management-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -137,6 +145,7 @@
       "build_output_subfolder": "win-threat-protection-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -153,6 +162,7 @@
       "build_output_subfolder": "win-app-management-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -169,6 +179,7 @@
       "build_output_subfolder": "windows-deploy-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -185,6 +196,7 @@
       "build_output_subfolder": "keep-secure-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -201,6 +213,7 @@
       "build_output_subfolder": "surface-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -217,6 +230,7 @@
       "build_output_subfolder": "windows-hub-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -233,6 +247,7 @@
       "build_output_subfolder": "internet-explorer-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -249,6 +264,7 @@
       "build_output_subfolder": "bcs-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": false,
       "type_mapping": {
         "Conceptual": "Content",
@@ -265,6 +281,7 @@
       "build_output_subfolder": "win-access-protection-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -281,6 +298,7 @@
       "build_output_subfolder": "win-device-security-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -297,6 +315,7 @@
       "build_output_subfolder": "education-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -313,6 +332,7 @@
       "build_output_subfolder": "store-for-business-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -329,6 +349,7 @@
       "build_output_subfolder": "win-configuration-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -345,6 +366,7 @@
       "build_output_subfolder": "windows-update-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -361,6 +383,7 @@
       "build_output_subfolder": "win-whats-new-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -377,6 +400,7 @@
       "build_output_subfolder": "itpro-hololens-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -393,6 +417,7 @@
       "build_output_subfolder": "windows-configure-VSTS",
       "locale": "en-us",
       "monikers": [],
+      "moniker_groups": [],
       "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
@@ -402,6 +427,23 @@
       "build_entry_point": "docs",
       "template_folder": "_themes",
       "version": 0
+    },
+    {
+      "docset_name": "microsoft-365",
+      "build_source_folder": "microsoft-365",
+      "build_output_subfolder": "microsoft-365",
+      "locale": "en-us",
+      "monikers": [],
+      "moniker_groups": [],
+      "open_to_public_contributors": false,
+      "type_mapping": {
+        "Conceptual": "Content",
+        "ManagedReference": "Content",
+        "RestApi": "Content"
+      },
+      "build_entry_point": "docs",
+      "template_folder": "_themes",
+      "version": 0
     }
   ],
   "notification_subscribers": [
@@ -435,10 +477,6 @@
     "master": [
       "Publish",
       "Pdf"
-    ],
-    "msesdemo": [
-      "Publish",
-      "Pdf"
     ]
   },
   "need_generate_pdf_url_template": true,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 8f10c8e96a..e115963c4d 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -11,6 +11,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/client-management/mdm/policy-admx-backed.md",
+"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
 "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
 "redirect_document_id": false
@@ -8269,6 +8274,16 @@
 "source_path": "windows/manage/change-history-for-manage-and-update-windows-10.md",
 "redirect_url": "/windows/windows-10/index",
 "redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/update/waas-servicing-branches-windows-10-updates.md",
+"redirect_url": "/windows/deployment/update/waas-servicing-channels-windows-10-updates",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/windows-10-enterprise-activation-subscription.md",
+"redirect_url": "/windows/deployment/windows-10-enterprise-subscription-activation",
+"redirect_document_id": true
 }
 ]
 }
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 99dceed75d..bd183c2b97 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -31,7 +31,7 @@ We've tried to make editing an existing, public file as simple as possible.
     ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 4.	Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
-    - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
+    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
     
     - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 
 
diff --git a/bcs/TOC.md b/bcs/TOC.md
index 06913f7aef..ec9e79cbfc 100644
--- a/bcs/TOC.md
+++ b/bcs/TOC.md
@@ -1 +1 @@
-# [Index](index.md)
\ No newline at end of file
+# [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md)
\ No newline at end of file
diff --git a/bcs/breadcrumb/toc.yml b/bcs/breadcrumb/toc.yml
new file mode 100644
index 0000000000..6a29a6b202
--- /dev/null
+++ b/bcs/breadcrumb/toc.yml
@@ -0,0 +1,11 @@
+- name: Docs
+  tocHref: /
+  topicHref: /
+  items:
+    - name: Microsoft 365 Business
+      tocHref: /microsoft-365-business/
+      topicHref: /microsoft-365-business/index
+      items:
+      - name: Support
+        tocHref: /microsoft-365-business/support/
+        topicHref: /microsoft-365-business/support/microsoft-365-business-faqs    
\ No newline at end of file
diff --git a/bcs/docfx.json b/bcs/docfx.json
index 4e3f166ece..aa19bbfd9b 100644
--- a/bcs/docfx.json
+++ b/bcs/docfx.json
@@ -3,7 +3,8 @@
     "content": [
       {
         "files": [
-          "**/*.md"
+          "**/*.md",
+          "**/**.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -19,7 +20,9 @@
       {
         "files": [
           "**/*.png",
-          "**/*.jpg"
+          "**/*.svg",
+          "**/*.jpg",
+          "**/*.json"
         ],
         "exclude": [
           "**/obj/**",
@@ -30,6 +33,7 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
+    "breadcrumb_path": "/microsoft-365-business/breadcrumb/toc.json",
 		"_op_documentIdPathDepotMapping": {
 			"./": {
 			  "depot_name": "TechNet.bcs"
diff --git a/bcs/images/bcs-information-product-help-office.svg b/bcs/images/bcs-information-product-help-office.svg
new file mode 100644
index 0000000000..a748576afa
--- /dev/null
+++ b/bcs/images/bcs-information-product-help-office.svg
@@ -0,0 +1,94 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-8 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1 {
+        stroke: #d1d3d4;
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-2 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #aae9fb;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #bad80a;
+      }
+
+      .cls-6 {
+        fill: #c6df33;
+      }
+
+      .cls-7 {
+        fill: #00bcf2;
+      }
+
+      .cls-8 {
+        stroke: #556a8a;
+      }
+    </style>
+  </defs>
+  <title>bcs-information-product-help-office</title>
+  <g>
+    <ellipse class="cls-1" cx="200" cy="71" rx="133" ry="39"/>
+    <g>
+      <circle class="cls-2" cx="201" cy="29" r="16" transform="translate(38.37 150.62) rotate(-45)"/>
+      <path class="cls-3" d="M212.31,17.69a16,16,0,0,1,0,22.62L189.69,17.69A16,16,0,0,1,212.31,17.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="131" cy="39" r="16" transform="translate(10.79 104.05) rotate(-45)"/>
+      <path class="cls-3" d="M142.31,27.69a16,16,0,0,1,0,22.62L119.69,27.69A16,16,0,0,1,142.31,27.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="274" cy="39" r="16" transform="translate(52.68 205.17) rotate(-45)"/>
+      <path class="cls-3" d="M285.31,27.69a16,16,0,0,1,0,22.62L262.69,27.69A16,16,0,0,1,285.31,27.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="68" cy="67" r="16" transform="translate(-27.46 67.71) rotate(-45)"/>
+      <path class="cls-3" d="M79.31,55.69a16,16,0,0,1,0,22.62L56.69,55.69A16,16,0,0,1,79.31,55.69Z"/>
+    </g>
+    <g>
+      <circle class="cls-2" cx="332" cy="67" r="16" transform="translate(49.86 254.38) rotate(-45)"/>
+      <path class="cls-3" d="M343.31,55.69a16,16,0,0,1,0,22.62L320.69,55.69A16,16,0,0,1,343.31,55.69Z"/>
+    </g>
+  </g>
+  <path class="cls-4" d="M68.12,75.89v2.86H66.75V76a8.27,8.27,0,0,1-4.56-1.13V72.57a6.17,6.17,0,0,0,2.09,1.13,7.63,7.63,0,0,0,2.47.46V67.4A10.34,10.34,0,0,1,63,64.83a4.89,4.89,0,0,1,.45-6.09,5.41,5.41,0,0,1,3.31-1.67V54.7h1.37V57a7.3,7.3,0,0,1,3.57.74V60a6,6,0,0,0-3.57-1.13v7a11.22,11.22,0,0,1,3.75,2.52,4.24,4.24,0,0,1,1,2.78,4.3,4.3,0,0,1-1.26,3.14A6.12,6.12,0,0,1,68.12,75.89ZM66.75,65.08V58.94a3,3,0,0,0-1.75,1,2.74,2.74,0,0,0-.65,1.84,3.08,3.08,0,0,0,.53,1.86A5.68,5.68,0,0,0,66.75,65.08Zm1.37,3v6q2.54-.55,2.54-2.74Q70.67,69.49,68.12,68.09Z"/>
+  <path class="cls-4" d="M199.23,33.78a6.71,6.71,0,0,1-.25-1.05,7.7,7.7,0,0,1-.11-1.29,4,4,0,0,1,.4-1.8,7.47,7.47,0,0,1,1-1.51,15,15,0,0,1,1.3-1.35q.7-.65,1.3-1.31a7.5,7.5,0,0,0,1-1.39,3.28,3.28,0,0,0,.4-1.6,2.94,2.94,0,0,0-.29-1.33,2.81,2.81,0,0,0-.79-1,3.47,3.47,0,0,0-1.16-.59,4.86,4.86,0,0,0-1.39-.2A6.06,6.06,0,0,0,196,21.47V18.72a9.19,9.19,0,0,1,5-1.5,7.79,7.79,0,0,1,2.23.31,5.51,5.51,0,0,1,1.84.93A4.38,4.38,0,0,1,206.31,20a4.8,4.8,0,0,1,.45,2.14,5,5,0,0,1-.41,2.06,7.45,7.45,0,0,1-1,1.66A13.21,13.21,0,0,1,204,27.28q-.72.66-1.34,1.3a7.15,7.15,0,0,0-1,1.35,3,3,0,0,0-.41,1.55,4.62,4.62,0,0,0,.17,1.3,9.19,9.19,0,0,0,.34,1Zm1.41,6.5a1.73,1.73,0,0,1-1.22-.5,1.63,1.63,0,0,1-.52-1.22,1.6,1.6,0,0,1,.52-1.22,1.7,1.7,0,0,1,2.44,0,1.6,1.6,0,0,1,.52,1.22,1.63,1.63,0,0,1-.52,1.22A1.73,1.73,0,0,1,200.64,40.28Z"/>
+  <g>
+    <g id="desk">
+      <polygon class="cls-5" points="272.42 113 127.58 113 155.8 88 235.86 88 272.42 113"/>
+      <rect class="cls-4" x="127" y="113" width="145" height="8"/>
+    </g>
+    <polygon class="cls-6" points="272.42 113 270.53 113 171.34 88 235.86 88 272.42 113"/>
+    <path class="cls-7" d="M212.59,76.16a17.69,17.69,0,0,1-1,5.92c-2.09,5.86-7.19,10-13.15,10-7.81,0-14.15-7.13-14.15-15.92a16.31,16.31,0,0,1,7.39-14,12.8,12.8,0,0,1,6.76-1.94C206.25,60.23,212.59,67.36,212.59,76.16Z"/>
+    <path class="cls-7" d="M224.18,100.42c-1.65-2.34-2.77-4-6.54-4.49-1.73-.23-5.93-.92-6.06-.91l-12-.86v0l-.28,0-.28,0v0L187,95c-.13,0-4.33.68-6.06.91-3.77.51-4.88,2.15-6.54,4.49C172.46,103.1,170.5,130,170.5,130h8l.88-12.47-1-.92,5.31-13.43-2.07,25.41c0,1.2.66,1.41,1.86,1.41h31c1.2,0,2.39-.22,2.39-1.41l-2.07-25.41,5.31,13.43-1,.92,1.1,12.41,8.25.06S226.07,103.1,224.18,100.42Z"/>
+    <path id="chair" class="cls-4" d="M177,130V103.49c0-2.74,2.13-5.49,4.74-5.49h34.52c2.61,0,4.74,2.74,4.74,5.49V130Z"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M264.84,37.09v-1a9.08,9.08,0,0,1,18.16,0v1"/>
+    <path class="cls-4" d="M280,36v8h3.75A3.54,3.54,0,0,0,286,41.26V36Z"/>
+    <path class="cls-4" d="M268,36v8h-3.75A3.54,3.54,0,0,1,262,41.26V36Z"/>
+    <path class="cls-8" d="M265.62,42.23s-.67,7.4,5.38,6.73"/>
+    <rect class="cls-4" x="271" y="46" width="7" height="6" rx="1.79" ry="1.79"/>
+  </g>
+  <polygon class="cls-4" points="137.79 34.79 132 40.59 132 26 130 26 130 40.59 124.21 34.79 122.79 36.21 131 44.41 139.21 36.21 137.79 34.79"/>
+  <rect class="cls-4" x="123" y="47" width="16" height="2"/>
+  <g>
+    <polygon class="cls-8" points="342.5 75 321.5 75 332 55 342.5 75"/>
+    <polygon class="cls-4" points="331.5 70 332.5 70 333 62 331 62 331.5 70"/>
+    <circle class="cls-4" cx="332.02" cy="72.02" r="1"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-information-product-help-windows10.svg b/bcs/images/bcs-information-product-help-windows10.svg
new file mode 100644
index 0000000000..f9c36f40be
--- /dev/null
+++ b/bcs/images/bcs-information-product-help-windows10.svg
@@ -0,0 +1,122 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #d1d3d4;
+      }
+
+      .cls-2 {
+        fill: #d1e55c;
+      }
+
+      .cls-3 {
+        fill: #e6e7e8;
+      }
+
+      .cls-4 {
+        fill: #0078d7;
+      }
+
+      .cls-5 {
+        fill: #ff9f2b;
+      }
+
+      .cls-6 {
+        fill: #ff8c00;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-12, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        fill: #2bc7f4;
+      }
+
+      .cls-11 {
+        fill: none;
+      }
+
+      .cls-11, .cls-12 {
+        stroke: #556a8a;
+      }
+
+      .cls-11, .cls-12, .cls-15 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-13 {
+        fill: #55d2f6;
+      }
+
+      .cls-14 {
+        fill: #e6e6e6;
+      }
+
+      .cls-15 {
+        fill: #aae9fb;
+        stroke: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-information-product-help-windows10</title>
+  <polygon class="cls-1" points="173.04 74 140.71 74 124.54 102 140.71 130 173.04 130 189.21 102 173.04 74"/>
+  <polygon class="cls-1" points="173.04 16 140.71 16 124.54 44 140.71 72 173.04 72 189.21 44 173.04 16"/>
+  <polygon class="cls-2" points="136.87 73 120.7 101 88.37 101 72.21 73 88.37 45 120.7 45 136.87 73"/>
+  <circle class="cls-3" cx="289.4" cy="73.17" r="44.4"/>
+  <g>
+    <polygon class="cls-4" points="279 71 279 48.19 256 51.43 256 71 279 71"/>
+    <polygon class="cls-4" points="282 71 316 71 316 43.33 282 47.71 282 71"/>
+    <polygon class="cls-4" points="282 73 282 97.76 316 102.34 316 73 282 73"/>
+    <polygon class="cls-4" points="279 73 256 73 256 93.74 279 96.97 279 73"/>
+  </g>
+  <polygon class="cls-2" points="241.67 73 225.5 101 193.17 101 177.01 73 193.17 45 225.5 45 241.67 73"/>
+  <g>
+    <g>
+      <g>
+        <path class="cls-5" d="M81.36,98c-.61.2-1.27.39-1.94.57C83.5,81.58,91.55,84.65,91.55,84.65l1.31,1.24,0,.16C93.19,87.17,94.28,93.86,81.36,98Z"/>
+        <path class="cls-6" d="M81.36,98c4-14,10.85-12.13,11.54-11.91C93.19,87.17,94.28,93.86,81.36,98Z"/>
+        <polygon class="cls-7" points="93.54 89.25 87.84 83.55 92.4 82.41 94.54 84.56 93.54 89.25"/>
+      </g>
+      <polygon class="cls-7" points="94.68 76.62 79.28 76.05 77 73.76 90.12 67.49 95.6 69.55 94.68 76.62"/>
+      <polygon class="cls-7" points="101.2 81.27 101.77 96.67 104.05 98.95 110.33 85.83 108.27 80.35 101.2 81.27"/>
+      <g>
+        <path class="cls-8" d="M98.13,88.06H98l-.14-.12-8.13-8.48,0-.2A33.67,33.67,0,0,1,99,62.9c7.38-7.34,24.58-10.42,25.31-10.55l.56-.1-.09.56s-.3,1.79-.92,4.4c-1.67,7-4.68,16.46-9.46,21.27C106.91,86,98.81,88.06,98.13,88.06Z"/>
+        <path class="cls-9" d="M123.39,58.2C122,63.94,119.06,73.88,114,78.94a32.91,32.91,0,0,1-15.95,9.12l-4.53-4.53a32.86,32.86,0,0,1,9.13-16C107.73,62.53,117.64,59.57,123.39,58.2Z"/>
+        <path class="cls-10" d="M125,52a74.22,74.22,0,0,0-14.76,4.4L121,67.21A99.29,99.29,0,0,0,125,52Z"/>
+        <path class="cls-11" d="M98.13,88.06H98l-.14-.12-8.13-8.48,0-.2A33.67,33.67,0,0,1,99,62.9c7.38-7.34,24.58-10.42,25.31-10.55l.56-.1-.09.56s-.3,1.79-.92,4.4c-1.67,7-4.68,16.46-9.46,21.27C106.91,86,98.81,88.06,98.13,88.06Z"/>
+      </g>
+    </g>
+    <circle class="cls-12" cx="106" cy="70" r="4"/>
+  </g>
+  <rect class="cls-11" x="148" y="79" width="18" height="25" rx="9" ry="9"/>
+  <path class="cls-8" d="M172,96.39v22.22a1.39,1.39,0,0,1-1.38,1.39H142.38a1.39,1.39,0,0,1-1.38-1.39V96.39A1.39,1.39,0,0,1,142.38,95h28.24A1.39,1.39,0,0,1,172,96.39Z"/>
+  <path class="cls-9" d="M172,96v21.84L148.75,94.64h21.84A1.41,1.41,0,0,1,172,96Z"/>
+  <path class="cls-11" d="M172,118.61a1.38,1.38,0,0,1-1.38,1.39H142.38a1.38,1.38,0,0,1-1.38-1.39V96.39A1.38,1.38,0,0,1,142.38,95h28.24A1.38,1.38,0,0,1,172,96.39Z"/>
+  <g>
+    <path class="cls-8" d="M177,30.08V55.53a1.27,1.27,0,0,1-1.25,1.28h-37.5A1.27,1.27,0,0,1,137,55.53V30.08a1.22,1.22,0,0,1,.06-.38,1.29,1.29,0,0,1,1.19-.9h37.5a1.21,1.21,0,0,1,.89.39,1.19,1.19,0,0,1,.31.56A1,1,0,0,1,177,30.08Z"/>
+    <rect class="cls-9" x="137" y="28.55" width="4" height="28.45"/>
+    <rect class="cls-9" x="173" y="29" width="4" height="28.33"/>
+    <polygon class="cls-13" points="137.65 29.12 157 41.38 176.35 29.12 137.65 29.12"/>
+    <path class="cls-11" d="M177,30.28V55.72A1.27,1.27,0,0,1,175.75,57h-37.5A1.27,1.27,0,0,1,137,55.72V30.28a1.22,1.22,0,0,1,.06-.38,1.29,1.29,0,0,1,1.19-.9h37.5a1.21,1.21,0,0,1,.89.39,1.19,1.19,0,0,1,.31.56A1,1,0,0,1,177,30.28Z"/>
+    <polyline class="cls-11" points="137.65 29.76 157 41.38 176.35 29.76"/>
+  </g>
+  <g>
+    <rect class="cls-12" x="196" y="50" width="26" height="22.7"/>
+    <path class="cls-8" d="M232,66.54V84.46c0,.85-.2,1.54-1.07,1.54H188.07c-.87,0-2.07-.69-2.07-1.54V66.54c0-.85,1.2-1.54,2.07-1.54h42.86C231.8,65,232,65.69,232,66.54Z"/>
+    <path class="cls-14" d="M232,66.54V83L214,65h16.93C231.8,65,232,65.69,232,66.54Z"/>
+    <path class="cls-11" d="M232,66.54V84.46c0,.85-.2,1.54-1.07,1.54H188.07c-.87,0-2.07-.69-2.07-1.54V66.54c0-.85,1.2-1.54,2.07-1.54h42.86C231.8,65,232,65.69,232,66.54Z"/>
+    <rect class="cls-7" x="194" y="80.56" width="30" height="5.44"/>
+    <rect class="cls-15" x="195" y="80" width="28" height="13"/>
+    <rect class="cls-7" x="192" y="79" width="34" height="2" rx="1" ry="1"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-iw-devicesetup-move-files-2.svg b/bcs/images/bcs-iw-devicesetup-move-files-2.svg
new file mode 100644
index 0000000000..8eff6a423a
--- /dev/null
+++ b/bcs/images/bcs-iw-devicesetup-move-files-2.svg
@@ -0,0 +1,76 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #fff;
+      }
+
+      .cls-2, .cls-6 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #556a8a;
+      }
+
+      .cls-2, .cls-4, .cls-6 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-2, .cls-4 {
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #80def9;
+      }
+
+      .cls-4 {
+        fill: #2bc7f4;
+        stroke: #0078d7;
+      }
+
+      .cls-5 {
+        fill: #00bcf2;
+      }
+
+      .cls-5, .cls-6, .cls-7 {
+        fill-rule: evenodd;
+      }
+
+      .cls-6 {
+        stroke: #80def9;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-move-files-2</title>
+  <g>
+    <g>
+      <path class="cls-1" d="M106.32,24.07h-33A1.27,1.27,0,0,0,72,25.36v79.43a1.27,1.27,0,0,0,1.27,1.28h58.45a1.27,1.27,0,0,0,1.27-1.28V49.69Z"/>
+      <path class="cls-2" d="M106.32,24.07h-33A1.27,1.27,0,0,0,72,25.36v79.43a1.27,1.27,0,0,0,1.27,1.28h58.45a1.27,1.27,0,0,0,1.27-1.28V49.69Z"/>
+      <polyline class="cls-2" points="106 24.44 106 50.07 132.21 50.07"/>
+    </g>
+    <g>
+      <path class="cls-1" d="M97.32,33h-33A1.27,1.27,0,0,0,63,34.28v79.43A1.27,1.27,0,0,0,64.27,115h58.45a1.27,1.27,0,0,0,1.27-1.28V58.62Z"/>
+      <polygon class="cls-3" points="124 59.07 97.05 59.07 97 33.07 124 59.07"/>
+      <path class="cls-2" d="M97.32,33h-33A1.27,1.27,0,0,0,63,34.28v79.43A1.27,1.27,0,0,0,64.27,115h58.45a1.27,1.27,0,0,0,1.27-1.28V58.62Z"/>
+      <polyline class="cls-2" points="97 33.07 97 59 123.26 59"/>
+    </g>
+  </g>
+  <circle class="cls-4" cx="292" cy="70" r="53.5"/>
+  <g>
+    <path class="cls-1" d="M325.81,71.18a9.12,9.12,0,0,1,7.88,9.46c0,4.13-2.31,9-7.88,9H280.73c-8.65,0-11.77-5.92-11.77-12,0-10.21,11.37-10.57,11.37-10.57s.93-11.17,10.86-13.43c8.86-2,13.84,2.63,16.25,6.21a13.59,13.59,0,0,1,11.5-.4,11.6,11.6,0,0,1,6.88,11.71"/>
+    <path class="cls-1" d="M266.09,78c0-11.38,12-13.07,12-13.07s1.54-10.91,12.44-13.71c8.44-2.17,14.85,1.63,17.58,5.86,0,0,1.83-1.3,5.9-1.19A18.45,18.45,0,0,0,302.46,41c-9.66-3.75-18.12.93-22.07,8a13.73,13.73,0,0,0-13.1-.22,14.58,14.58,0,0,0-7.48,14.32s-10.13.74-10.13,11.63a11.64,11.64,0,0,0,11.16,11.27h7.54a14.48,14.48,0,0,1-2.3-8"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-5" points="224.66 74.13 205 94.48 205 85 148 85 148 64 205 64 205 53.9 224.66 74.13 224.66 74.13 224.66 74.13"/>
+      <polygon class="cls-6" points="207.36 67.5 207.36 67.5 148 67.5 176.5 67.5 207.36 67.5 207.36 67.5"/>
+      <polygon class="cls-6" points="217.34 74.5 217.34 74.5 148 74.5 186.47 74.5 217.34 74.5 217.34 74.5"/>
+      <polygon class="cls-6" points="209.38 81.5 209.38 81.5 148 81.5 176.5 81.5 209.38 81.5 209.38 81.5"/>
+      <polygon class="cls-7" points="209 67.4 205 70.9 205 63.9 209 67.4"/>
+      <polygon class="cls-7" points="212 81.4 206 85.9 206 76.9 212 81.4"/>
+    </g>
+    <polygon class="cls-7" points="222 74.4 217 78.9 217 69.9 222 74.4"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-iw-devicesetup-setup-1.svg b/bcs/images/bcs-iw-devicesetup-setup-1.svg
new file mode 100644
index 0000000000..6011499c3a
--- /dev/null
+++ b/bcs/images/bcs-iw-devicesetup-setup-1.svg
@@ -0,0 +1,91 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-6, .cls-7 {
+        fill: none;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-2, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-3 {
+        fill: #80def9;
+      }
+
+      .cls-4 {
+        fill: #2bc7f4;
+      }
+
+      .cls-5 {
+        fill: #9273b6;
+      }
+
+      .cls-6 {
+        stroke: #fff;
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        fill: #e6e7e8;
+      }
+
+      .cls-11 {
+        fill: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-setup-1</title>
+  <g>
+    <line class="cls-1" x1="76" y1="70" x2="337" y2="70"/>
+    <rect class="cls-2" x="39" y="20" width="53" height="100" rx="4" ry="4"/>
+    <rect class="cls-3" x="44" y="32" width="43" height="72"/>
+    <path class="cls-4" d="M72.64,29H60.07a1.53,1.53,0,0,1,0-3H72.64a1.53,1.53,0,0,1,0,3Z"/>
+    <circle class="cls-4" cx="84.5" cy="111.5" r="2.5"/>
+    <circle class="cls-4" cx="46.5" cy="111.5" r="2.5"/>
+    <rect class="cls-4" x="58" y="111" width="15" height="3" rx="1" ry="1"/>
+  </g>
+  <g>
+    <path class="cls-2" d="M118.11,72.63l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59L119.8,83a1,1,0,0,0,1.43.49l4.49-.94L127.14,85l-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49l2.89-1.26a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3A1.42,1.42,0,0,0,174.2,83l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87L176,73a1.42,1.42,0,0,0,1-1.28V68.83a1.36,1.36,0,0,0-.93-1.29L171.42,67a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44L167.23,48a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L157,41.82a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L150,41.14a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49L134.32,43a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L125,49.63l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L118.68,60a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,118.11,72.63Z"/>
+    <path class="cls-5" d="M133.16,64.3A15,15,0,1,1,132,70.15,14.82,14.82,0,0,1,133.16,64.3Z"/>
+    <polyline class="cls-6" points="136.24 70.26 143.99 78.01 158.24 63.76"/>
+  </g>
+  <g>
+    <rect class="cls-7" x="221" y="36" width="27" height="36" rx="12" ry="12"/>
+    <path class="cls-8" d="M257,60V92a2,2,0,0,1-2,2H215a2,2,0,0,1-2-2V60a2,2,0,0,1,2-2H255A2,2,0,0,1,257,60Z"/>
+    <path class="cls-9" d="M257,60V91L224,58h31A2,2,0,0,1,257,60Z"/>
+    <path class="cls-7" d="M257,92a2,2,0,0,1-2,2H215a2,2,0,0,1-2-2V60a2,2,0,0,1,2-2H255a2,2,0,0,1,2,2Z"/>
+  </g>
+  <circle class="cls-2" cx="329.38" cy="71" r="32"/>
+  <g>
+    <g>
+      <circle class="cls-10" cx="316.63" cy="59.5" r="7.5"/>
+      <path class="cls-10" d="M305.13,78a11.51,11.51,0,0,1,23,0"/>
+    </g>
+    <g>
+      <circle class="cls-10" cx="342.13" cy="59.5" r="7.5"/>
+      <path class="cls-10" d="M330.63,78a11.51,11.51,0,0,1,23,0"/>
+    </g>
+    <g>
+      <circle class="cls-11" cx="328.63" cy="73.5" r="7.5"/>
+      <path class="cls-11" d="M317.13,92a11.51,11.51,0,0,1,23,0"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- add-group-5.svg b/bcs/images/bcs-partner-advanced-management- add-group-5.svg
new file mode 100644
index 0000000000..435e4bc752
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- add-group-5.svg	
@@ -0,0 +1,69 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2, .cls-8 {
+        fill: #e5e5e5;
+      }
+
+      .cls-2, .cls-3, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-2, .cls-3, .cls-4, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-4, .cls-5, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        stroke: #00bcf2;
+      }
+
+      .cls-5 {
+        stroke: #7750a3;
+      }
+
+      .cls-6 {
+        fill: #9273b6;
+      }
+
+      .cls-9 {
+        fill: none;
+      }
+
+      .cls-10 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- add-group-5</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M258.77,52.72a43.25,43.25,0,0,0-85.48-1.37A29.37,29.37,0,0,0,126,66.46a25.54,25.54,0,0,0-6.12-.77,26,26,0,0,0,0,52H264.78c14.7-3,25.77-16.76,25.77-32.48A32.34,32.34,0,0,0,258.77,52.72Z"/>
+    <g>
+      <circle class="cls-2" cx="217.62" cy="46.5" r="16.5"/>
+      <path class="cls-2" d="M242.62,87c0-13.25-11.19-24-25-24s-25,10.75-25,24"/>
+    </g>
+    <g>
+      <circle class="cls-3" cx="186.62" cy="66.5" r="16.5"/>
+      <path class="cls-3" d="M211.62,107c0-13.25-11.19-24-25-24s-25,10.75-25,24"/>
+    </g>
+    <path class="cls-4" d="M295,34.32V34a11.57,11.57,0,0,0-.37-2.87,10.41,10.41,0,0,0-17.1-7.39A12,12,0,0,0,267.43,19c-7.62,0-13.36,6.65-13.49,14.13,0,.52.13.9.13,1.42-4,1.94-6.32,5.29-6.32,9.55a11.44,11.44,0,0,0,11.14,11.32c.44,5.27,13.18,11.64,23.6,4.1a13.46,13.46,0,0,0,6.37,1.74c7.67,0,13.89-6.8,13.89-14.47A13.89,13.89,0,0,0,295,34.32Z"/>
+    <circle class="cls-5" cx="252.62" cy="85" r="20"/>
+    <path class="cls-6" d="M149.28,73.46a.9.9,0,0,0,.86.54l1.82-.19a.9.9,0,0,0,.68-1l-.06-2.25c-.11-.6,0-1.15,1.72-2.15a1.57,1.57,0,0,1,1.55.09L158,69.7a1.06,1.06,0,0,0,1-.18l1.25-1.58a.94.94,0,0,0-.31-1.12l-1.7-1.63a1.14,1.14,0,0,1-.33-1.4s.49-2.27,1.44-2.44l2.09-.49a1.12,1.12,0,0,0,.68-1l-.34-2a.69.69,0,0,0-.81-.55h-.05l-2.26.07c-.6.09-1.88-1.49-2.15-1.76a2.25,2.25,0,0,1,0-1.69l1.21-1.86a1,1,0,0,0-.18-1.26l-1.58-.94a.9.9,0,0,0-1.13,0l-1.48,1.86c-.37.45-1.08.88-2.68.23,0,0-1.18-.69-1.32-1.25l-.46-2.36a.9.9,0,0,0-.86-.54l-2,.34a.69.69,0,0,0-.51.84v0l-.07,2.39c0,.84-1.36,1.73-1.64,2a1.48,1.48,0,0,1-1.69,0l-2-1.34a1.1,1.1,0,0,0-1.12.31l-1.25,1.58a1.24,1.24,0,0,0,.31,1.12l1.74,1.64c1,.76.41,1.87.21,2.67-.09.43-.26.86-1.24,1l-2.24.63A.9.9,0,0,0,136,62l.34,2a.9.9,0,0,0,.72.68l2.39-.2c.84,0,1.14.24,1.29.67a12.6,12.6,0,0,1,.73,1.25,1.26,1.26,0,0,1,.18,1.51l-1.34,2a1.09,1.09,0,0,0,.31,1.11l1.44,1.09a.9.9,0,0,0,1.13,0l1.5-1.87a1.43,1.43,0,0,1,1.53-.45l1.28.38c.56,0,.86.26,1.15,1.09l.62,2.23m4.57-13.22a5,5,0,0,1-4.07,5.46,4.6,4.6,0,0,1-5.4-3.63q0-.22-.06-.44a4.72,4.72,0,0,1,3.93-5.32,4.79,4.79,0,0,1,5.6,3.8l0,.12"/>
+    <g>
+      <path class="cls-7" d="M149.86,90.8c0-.35-.58-1.06-1.62-1.1l-4-.26A1.91,1.91,0,0,1,142.35,88s-1.84-3.45-.79-4.7l2.15-2.9a1.85,1.85,0,0,0-.22-2l-2.56-2.16a1.17,1.17,0,0,0-1.64.18s0,0,0,.07L136.42,79a2.26,2.26,0,0,1-2.71.52c-.68,0-1.32-.4-2-.44a3.78,3.78,0,0,1-1.84-2.18l-.46-3.71a1.7,1.7,0,0,0-1.6-1.41l-3,.5a1.5,1.5,0,0,0-1.41,1.27l.12,4c0,1-.15,2.67-3.19,3.2,0,0-2.27.4-3-.16l-3.16-2.54a1.48,1.48,0,0,0-1.68.25l-.24.28-1.91,2.28a1.17,1.17,0,0,0,.25,1.63l0,0,2.5,3.15c1.44,1.42.13,3.69.08,4.35A2.47,2.47,0,0,1,111,91.91l-4,.47A1.84,1.84,0,0,0,105.9,94l.11,3.37a2.07,2.07,0,0,0,1.61,1.11l4,.21c1.33.07,2.27.42,3.17,3.2.35.66.6,1.4-.49,2.65l-2.18,3.24a1.54,1.54,0,0,0,.24,1.7l2.57,2.15a1.5,1.5,0,0,0,1.66.09l2.85-2.85c1-1,3.92,0,4.67.27a2.1,2.1,0,0,1,1.85,1.74l.48,4A1.83,1.83,0,0,0,128,116l3-.16a1.5,1.5,0,0,0,1.41-1.27l-.1-4c0-1,4.66-4,6.2-3l1.75,1,2,1.13c.57.28.76.18,1.22-.23l2.13-2.23a1.52,1.52,0,0,0-.23-2l-2.51-2.82c-.78-.64-.37-3-.12-4.63a2.3,2.3,0,0,1,2.09-1.57l4.07-.78C150.53,94.91,149.86,90.8,149.86,90.8Zm-26.68,9.56c-.19-.16-.38-.32-.56-.49A7.72,7.72,0,0,1,121.84,89s0,0,.06-.08a8.12,8.12,0,0,1,11.3-1.17l.16.12,0,0a8.09,8.09,0,0,1,.7,11.24,7.64,7.64,0,0,1-1.33,1.28A7.82,7.82,0,0,1,123.18,100.36Z"/>
+      <path class="cls-8" d="M148.94,95.44l-4.07.78a2.3,2.3,0,0,0-2.09,1.57c-.25,1.62-.66,4,.12,4.63l2.51,2.82a1.52,1.52,0,0,1,.23,2l-2.13,2.23c-.46.41-.65.51-1.22.23l-2-1.13-7.63-8.14A7.64,7.64,0,0,0,134,99.18a8.09,8.09,0,0,0-.7-11.24l0,0-.16-.12A8.12,8.12,0,0,0,121.9,89s0,.05-.06.08l-9.65-10.45.24-.28a1.48,1.48,0,0,1,1.68-.25l3.16,2.54c.78.56,3,.16,3,.16,3-.53,3.2-2.21,3.19-3.2l-.12-4a1.5,1.5,0,0,1,1.41-1.27l3-.5a1.7,1.7,0,0,1,1.6,1.41l.46,3.71a3.78,3.78,0,0,0,1.84,2.18c.64,0,1.28.4,2,.44a2.26,2.26,0,0,0,2.71-.52l2.82-2.54s0,0,0-.07a1.17,1.17,0,0,1,1.64-.18l2.56,2.16a1.85,1.85,0,0,1,.22,2l-2.15,2.9c-1.05,1.25.79,4.7.79,4.7a1.91,1.91,0,0,0,1.94,1.43l4,.26c1,0,1.64.75,1.62,1.1C149.86,90.8,150.53,94.91,148.94,95.44Z"/>
+      <path class="cls-9" d="M142.29,109.73c.56.27.76.18,1.21-.24l2.13-2.22a1.51,1.51,0,0,0-.22-2l-2.51-2.82c-.79-.64-.37-3-.12-4.63a2.29,2.29,0,0,1,2.09-1.57l4.07-.78c1.59-.53.92-4.65.92-4.65,0-.34-.58-1.06-1.61-1.1l-4-.24c-.91,0-3.77-4.89-2.73-6.14l2.16-2.9a1.88,1.88,0,0,0-.22-2l-2.56-2.15a1.16,1.16,0,0,0-1.64.18l-.05.07L136.42,79c-.68.77-6.2-1.16-6.51-2.09l-.46-3.71a1.71,1.71,0,0,0-1.6-1.42l-3,.5a1.51,1.51,0,0,0-1.41,1.27l.12,4c0,1-.15,2.65-3.19,3.19,0,0-2.27.4-3.05-.17l-3.15-2.54a1.51,1.51,0,0,0-1.69.25l-2.15,2.56a1.16,1.16,0,0,0,.26,1.63l0,0,2.5,3.15c1.44,1.42.13,3.7.07,4.35A2.48,2.48,0,0,1,111,91.91l-4,.47a1.85,1.85,0,0,0-1.1,1.61l.12,3.38a2.09,2.09,0,0,0,1.61,1.1l4,.22c1.33.07,2.27.42,3.17,3.2.35.65.6,1.39-.48,2.66l-2.18,3.24a1.51,1.51,0,0,0,.25,1.69l2.56,2.15a1.51,1.51,0,0,0,1.67.09l2.84-2.85c1.05-.95,6.37,1.08,6.53,2l.47,4a1.83,1.83,0,0,0,1.61,1.09l3-.16a1.51,1.51,0,0,0,1.41-1.27l-.1-4c0-1,4.66-4,6.2-3Z"/>
+      <circle class="cls-9" cx="127.99" cy="94.09" r="8"/>
+    </g>
+    <rect class="cls-10" x="249" y="71" width="6" height="28"/>
+    <rect class="cls-10" x="249" y="71" width="6" height="28" transform="translate(167 337) rotate(-90)"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- billing-7.svg b/bcs/images/bcs-partner-advanced-management- billing-7.svg
new file mode 100644
index 0000000000..50af1d2262
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- billing-7.svg	
@@ -0,0 +1,115 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #e6e7e8;
+      }
+
+      .cls-1, .cls-2 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        stroke-width: 0.08px;
+      }
+
+      .cls-2, .cls-6 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #f2f2f2;
+      }
+
+      .cls-10, .cls-11, .cls-12, .cls-3, .cls-4, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-4 {
+        fill: #c6df33;
+      }
+
+      .cls-15, .cls-5 {
+        fill: #fff;
+      }
+
+      .cls-5, .cls-8 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        fill: none;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10, .cls-17 {
+        fill: #7750a3;
+      }
+
+      .cls-11 {
+        fill: #00bcf2;
+      }
+
+      .cls-12 {
+        fill: #9273b6;
+      }
+
+      .cls-13 {
+        fill: #556a8a;
+      }
+
+      .cls-14 {
+        fill: #e4edf1;
+      }
+
+      .cls-16 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- billing-7</title>
+  <g id="ICONS">
+    <circle class="cls-1" cx="100" cy="54" r="31"/>
+    <circle class="cls-2" cx="165" cy="73" r="56.5"/>
+    <circle class="cls-1" cx="283" cy="72" r="31"/>
+    <path class="cls-3" d="M147.5,81.5a6,6,0,1,1-6-6A6,6,0,0,1,147.5,81.5Z"/>
+    <path class="cls-4" d="M286,107a12,12,0,1,1-12-12A11.94,11.94,0,0,1,286,107Z"/>
+    <rect class="cls-5" x="154" y="33" width="117" height="73"/>
+    <rect class="cls-6" x="163" y="42" width="94.4" height="16"/>
+    <rect class="cls-7" x="155" y="34" width="14" height="71"/>
+    <rect class="cls-7" x="256" y="34" width="14" height="71"/>
+    <line class="cls-8" x1="176" y1="77" x2="214" y2="77"/>
+    <line class="cls-8" x1="176" y1="85" x2="214" y2="85"/>
+    <line class="cls-8" x1="176" y1="93" x2="214" y2="93"/>
+    <g>
+      <path class="cls-9" d="M169,35.83A27.82,27.82,0,1,1,141.17,8,27.69,27.69,0,0,1,169,35.83Z"/>
+      <path class="cls-4" d="M169,35.83a27.69,27.69,0,0,1-8.29,19.8L121.36,16.29A27.82,27.82,0,0,1,169,35.83Z"/>
+    </g>
+    <g>
+      <path class="cls-10" d="M129.68,99.5A21.17,21.17,0,1,1,108.5,78.32,21.07,21.07,0,0,1,129.68,99.5Z"/>
+      <path class="cls-11" d="M105,54A12,12,0,1,1,93,42,11.94,11.94,0,0,1,105,54Z"/>
+      <path class="cls-11" d="M306,102a6,6,0,1,1-6-6A6,6,0,0,1,306,102Z"/>
+      <path class="cls-12" d="M82,32a6,6,0,1,1-6-6A6,6,0,0,1,82,32Z"/>
+      <path class="cls-12" d="M129.68,99.5a21.07,21.07,0,0,1-6.31,15.06L93.43,84.63A21.17,21.17,0,0,1,129.68,99.5Z"/>
+    </g>
+    <path class="cls-13" d="M141.56,52.81v5.13H139.1V53a14.83,14.83,0,0,1-8.18-2V46.86a11.08,11.08,0,0,0,3.75,2,13.69,13.69,0,0,0,4.43.82V37.59q-5.2-2.5-6.74-4.62a8.27,8.27,0,0,1-1.54-5,8.36,8.36,0,0,1,2.34-5.92,9.69,9.69,0,0,1,5.93-3V14.81h2.46V19q4.63.14,6.4,1.32v4a10.74,10.74,0,0,0-6.4-2V34.76q4.92,2.34,6.72,4.53a7.59,7.59,0,0,1,1.81,5,7.7,7.7,0,0,1-2.26,5.64A11,11,0,0,1,141.56,52.81ZM139.1,33.43v-11A5.39,5.39,0,0,0,136,24.18a4.91,4.91,0,0,0-1.16,3.3,5.52,5.52,0,0,0,.95,3.33A10.17,10.17,0,0,0,139.1,33.43Zm2.46,5.39V49.5q4.56-1,4.56-4.92Q146.12,41.32,141.56,38.82Z"/>
+    <path class="cls-14" d="M108.84,112.07v3.59h-2v-3.46a11.2,11.2,0,0,1-6-1.42v-3.69a8.23,8.23,0,0,0,2.74,1.47,10,10,0,0,0,3.23.6V101.8q-3.9-1.8-5.05-3.33a5.81,5.81,0,0,1-1.15-3.61,5.89,5.89,0,0,1,1.75-4.26,7.41,7.41,0,0,1,4.45-2.16v-3h2v2.91a10.35,10.35,0,0,1,4.8.93v3.54a8.42,8.42,0,0,0-4.8-1.42v7.63a14.79,14.79,0,0,1,5,3.28,5.64,5.64,0,0,1-.33,7.66A8.16,8.16,0,0,1,108.84,112.07Zm-2-14v-6.6a3.47,3.47,0,0,0-2,1.06,2.84,2.84,0,0,0-.73,2,3.2,3.2,0,0,0,.6,2A6.41,6.41,0,0,0,106.8,98.11Zm2,4.58v6.37q2.81-.59,2.81-2.93Q111.65,104.18,108.84,102.69Z"/>
+    <g>
+      <rect class="cls-7" x="244.38" y="71.99" width="43.92" height="3.99" transform="translate(25.69 210) rotate(-45)"/>
+      <path class="cls-15" d="M286.45,53.49l-.94-.94a5.34,5.34,0,0,0-7.53,0l-31,31-4.24,12.71L255.45,92l31-31A5.34,5.34,0,0,0,286.45,53.49Z"/>
+      <polygon class="cls-16" points="255.3 91.25 255.1 91.44 243.8 95.2 247.56 83.9 247.76 83.72 255.3 91.25"/>
+      <path class="cls-16" d="M287.33,57.26a4.63,4.63,0,0,1-1.36,3.3l-3.1,3.1-7.53-7.53,3.1-3.1A4.68,4.68,0,0,1,285,53L286,54A4.6,4.6,0,0,1,287.33,57.26Z"/>
+      <path class="cls-8" d="M286.45,53.49l-.94-.94a5.34,5.34,0,0,0-7.53,0l-31,31-4.24,12.71L255.45,92l31-31A5.34,5.34,0,0,0,286.45,53.49Z"/>
+      <line class="cls-8" x1="247.7" y1="83.14" x2="255.55" y2="91"/>
+    </g>
+    <path class="cls-17" d="M296.51,88.75a.9.9,0,0,0,.86.54l1.82-.19a.9.9,0,0,0,.68-1l-.06-2.25c-.11-.6,0-1.15,1.72-2.15a1.57,1.57,0,0,1,1.55.09L305.24,85a1.06,1.06,0,0,0,1-.18l1.25-1.58a.94.94,0,0,0-.31-1.12l-1.7-1.63a1.14,1.14,0,0,1-.33-1.4s.49-2.27,1.44-2.44l2.09-.49a1.12,1.12,0,0,0,.68-1l-.34-2a.69.69,0,0,0-.81-.55h-.05l-2.26.07c-.6.09-1.88-1.49-2.15-1.76a2.25,2.25,0,0,1,0-1.69l1.21-1.86a1,1,0,0,0-.18-1.26l-1.58-.94a.9.9,0,0,0-1.13,0l-1.48,1.86c-.37.45-1.08.88-2.68.23,0,0-1.18-.69-1.32-1.25l-.46-2.36a.9.9,0,0,0-.86-.54l-2,.34a.69.69,0,0,0-.51.84v0l-.07,2.39c0,.84-1.36,1.73-1.64,2a1.48,1.48,0,0,1-1.69,0l-2-1.34a1.1,1.1,0,0,0-1.12.31L285,69.37a1.24,1.24,0,0,0,.31,1.12L287,72.13c1,.76.41,1.87.21,2.67-.09.43-.26.86-1.24,1l-2.24.63a.9.9,0,0,0-.54.86l.34,2a.9.9,0,0,0,.72.68l2.39-.2c.84,0,1.14.24,1.29.67a12.6,12.6,0,0,1,.73,1.25,1.26,1.26,0,0,1,.18,1.51l-1.34,2a1.09,1.09,0,0,0,.31,1.11l1.44,1.09a.9.9,0,0,0,1.13,0l1.5-1.87a1.43,1.43,0,0,1,1.53-.45l1.28.38c.56,0,.86.26,1.15,1.09l.62,2.23m4.57-13.22A5,5,0,0,1,297,81a4.6,4.6,0,0,1-5.4-3.63q0-.22-.06-.44a4.72,4.72,0,0,1,3.93-5.32,4.79,4.79,0,0,1,5.6,3.8l0,.12"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- install-4.svg b/bcs/images/bcs-partner-advanced-management- install-4.svg
new file mode 100644
index 0000000000..24f2df79ca
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- install-4.svg	
@@ -0,0 +1,62 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- install-4</title>
+  <g>
+    <path class="cls-1" d="M325.08,70.39a36.68,36.68,0,0,0-72.4-1.15,25,25,0,0,0-40.09,12.69,21.82,21.82,0,1,0-5.18,43H330.17C342.63,122.41,352,110.85,352,97.66A27.27,27.27,0,0,0,325.08,70.39Z"/>
+    <polygon class="cls-2" points="209.75 129 92.75 129 100.07 121 202.9 121 209.75 129"/>
+    <polygon class="cls-3" points="198.75 127 103.75 127 107.09 123 195.51 123 198.75 127"/>
+    <polygon class="cls-2" points="174 109 122 109 116 115 180 115 174 109"/>
+    <polygon class="cls-2" points="153.25 114 146.25 114 147.65 100 151.85 100 153.25 114"/>
+    <rect class="cls-4" x="74" y="20" width="151" height="82" rx="4" ry="4"/>
+    <path class="cls-5" d="M226.25,24V36h-151V24a4,4,0,0,1,4-4h143A4,4,0,0,1,226.25,24Z"/>
+    <rect class="cls-6" x="74" y="20" width="151" height="82" rx="4" ry="4" transform="translate(299 122) rotate(180)"/>
+  </g>
+  <g>
+    <rect class="cls-2" x="129" y="89" width="40" height="2"/>
+    <polygon class="cls-2" points="167.6 63.38 149.99 81.17 149.99 37 148.01 37 148.01 81.17 130.4 63.38 129 64.79 149 85 169 64.79 167.6 63.38"/>
+  </g>
+  <g>
+    <polygon class="cls-7" points="283 88 314 88 314 61.16 283 65.5 283 88"/>
+    <polygon class="cls-7" points="281 88 281 65.85 256 69.14 256 88 281 88"/>
+    <polygon class="cls-7" points="281 90 256 90 256 109.42 281 112.7 281 90"/>
+    <polygon class="cls-7" points="283 90 283 113.2 314 117.55 314 90 283 90"/>
+  </g>
+  <path class="cls-8" d="M93.29,69.07a2.13,2.13,0,0,0,2.31.85l4.25-1.36A2.28,2.28,0,0,0,101,65.84l-1.28-5.3a3.16,3.16,0,0,1,1.21-3.74c.51-.82,1.43-1.39,1.94-2.21a3.83,3.83,0,0,1,3.74-.54l5.7,1.82a2.58,2.58,0,0,0,2.24-.88l2.13-4.37c.26-.41,0-1.7-1.29-2.5l-4.93-3A2.79,2.79,0,0,1,109,41.91l-.39-.41a3.71,3.71,0,0,0,.46-2.57c-.32-1.33,0-2.82,2.28-3.71L116.07,33a2.7,2.7,0,0,0,1.11-2.72l-1.7-4.51a1.7,1.7,0,0,0-2.24-.89l-.08,0-5.3,1.34a3.26,3.26,0,0,1-3.79-1.21c-.82-.51-1.39-1.43-2.21-1.94a5.47,5.47,0,0,1-1-4l2-5.1a2.47,2.47,0,0,0-1-2.92L97.63,9.69a2.07,2.07,0,0,0-2.67.63L92.32,15.5a3.49,3.49,0,0,1-3.4,1.87,10.58,10.58,0,0,0-2.82,0l-.41-.26a3.6,3.6,0,0,1-3.33-2L80,9.72a2.13,2.13,0,0,0-2.31-.85l-4.51,1.7a1.7,1.7,0,0,0-.89,2.24l0,.08,1,5.73c.48,2,0,2.82-1,3.4-.51.82-1.43,1.39-1.94,2.21a3.59,3.59,0,0,1-4,.94L61,22.93a2.65,2.65,0,0,0-2.43,1.36l-2.21,4.37a3,3,0,0,0,1.29,2.5l4.93,3c1.7,1,2.21,1.94,1.45,3.18a23.31,23.31,0,0,0,.37,3.08c-.09,1-.19,2.14-2.43,3l-5,2.58a2.13,2.13,0,0,0-.87,2.31l1.7,4.51a2.18,2.18,0,0,0,2.06,1.28l5.58-1.7c2-.48,2.82,0,3.4,1A30.6,30.6,0,0,1,71.17,56a3.06,3.06,0,0,1,1.19,3.59L70.13,65a2.65,2.65,0,0,0,1.29,2.5l4,1.87a2.07,2.07,0,0,0,2.67-.63l2.7-5.19a3.4,3.4,0,0,1,3.4-1.87l3.23.29c1.33-.31,2.16.19,3.28,2l2.58,5m4.4-33.65a12,12,0,0,1-7,15,11.17,11.17,0,0,1-15.11-7,11.48,11.48,0,0,1,6.8-14.59,11.63,11.63,0,0,1,15.19,6.29l.11.27"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg b/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg
new file mode 100644
index 0000000000..81370d6388
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- management-4_placeholder.svg	
@@ -0,0 +1,39 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #505c6d;
+      }
+
+      .cls-1, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #00bcf2;
+      }
+
+      .cls-4 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- management-4</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M225.61,52.71v-.66a26.61,26.61,0,0,0-.86-6.61,23.92,23.92,0,0,0-39.32-17c-5.82-7.33-13.24-11-23.17-11-17.51,0-30.71,15.28-31,32.49,0,1.19.3,2.08.3,3.26C122.34,57.69,117,65.4,117,75.2c0,14,11,25.21,25.6,26,1.34,9.72,10.05,18.74,25,18.74,12.59,0,20.1,1,29.28-9.32a30.94,30.94,0,0,0,14.64,4c17.64,0,31.94-15.63,31.94-33.27A31.94,31.94,0,0,0,225.61,52.71Z"/>
+    <path class="cls-2" d="M205,72.06h-7V45.44l4-5.16-4-12.14h-5.32l-4,12L193,45.44V72.06h-7v6.66h4c0,2.49-2.66,5.51-4,5.61V99.81c0,4.11,2.6,8.19,5.32,8.19h8c2.72,0,5.69-4.7,5.69-8.81v-15c-1.33,0-4.36-3-4.36-5.51H205Z"/>
+    <rect class="cls-3" x="192" y="82" width="2" height="23"/>
+    <rect class="cls-3" x="197" y="82" width="2" height="23"/>
+    <path class="cls-4" d="M178.48,42.77c0-6.45-4.48-12-9.48-14.52V38.78l-6.5,5.32L156,38.78V28.25c-6,2.52-9.32,8.08-9.32,14.52s3.32,12,9.32,14.51V104a4.74,4.74,0,0,0,4.92,5h1.33c2.93,0,5.75-2.07,5.75-5V57.82A16.09,16.09,0,0,0,178.48,42.77Z"/>
+    <rect class="cls-5" x="157" y="96" width="10" height="7"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management- reports-9.svg b/bcs/images/bcs-partner-advanced-management- reports-9.svg
new file mode 100644
index 0000000000..f34b2f595e
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management- reports-9.svg	
@@ -0,0 +1,106 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-10, .cls-11, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #d1d3d4;
+      }
+
+      .cls-1, .cls-10, .cls-11, .cls-2, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2, .cls-5, .cls-9 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #2ac7f4;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #414042;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #55d2f6;
+      }
+
+      .cls-9 {
+        stroke: #c0b0ff;
+      }
+
+      .cls-10 {
+        stroke: #00bcf2;
+      }
+
+      .cls-11 {
+        stroke: #b4a0ff;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management- reports-9</title>
+  <g id="ICONS">
+    <g>
+      <line class="cls-1" x1="154" y1="122" x2="154" y2="27"/>
+      <line class="cls-1" x1="172" y1="122" x2="172" y2="27"/>
+      <line class="cls-1" x1="190" y1="122" x2="190" y2="27"/>
+      <line class="cls-1" x1="208" y1="122" x2="208" y2="27"/>
+      <line class="cls-1" x1="226" y1="122" x2="226" y2="27"/>
+      <line class="cls-1" x1="244" y1="122" x2="244" y2="27"/>
+      <line class="cls-1" x1="262" y1="122" x2="262" y2="27"/>
+      <line class="cls-1" x1="280" y1="122" x2="280" y2="27"/>
+      <line class="cls-1" x1="298" y1="122" x2="298" y2="27"/>
+      <line class="cls-1" x1="316" y1="122" x2="316" y2="27"/>
+      <line class="cls-1" x1="334" y1="122" x2="334" y2="27"/>
+    </g>
+    <polyline class="cls-2" points="244 88 244 121 222 121 207 40 194 121 172 121 172 69"/>
+    <rect class="cls-3" x="71" y="27" width="76" height="95" rx="2" ry="2"/>
+    <rect class="cls-4" x="71" y="28" width="13" height="93"/>
+    <rect class="cls-5" x="71" y="27" width="76" height="95" rx="2" ry="2"/>
+    <g>
+      <rect class="cls-6" x="65" y="39" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="39" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="55" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="55" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="71" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="71" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="87" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="87" width="5" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="65" y="103" width="10" height="4"/>
+      <rect class="cls-7" x="70" y="103" width="5" height="4"/>
+    </g>
+    <rect class="cls-8" x="92" y="39" width="42" height="13"/>
+    <polyline class="cls-9" points="245 121 262 121 280 57 298 121 335 121"/>
+    <circle class="cls-10" cx="244" cy="87" r="6"/>
+    <circle class="cls-11" cx="280" cy="58" r="6"/>
+    <circle class="cls-10" cx="207" cy="40" r="6"/>
+    <circle class="cls-10" cx="172" cy="63" r="6"/>
+    <line class="cls-2" x1="148" y1="121" x2="240" y2="121"/>
+    <line class="cls-9" x1="260" y1="121" x2="317" y2="121"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-add-domain-2.svg b/bcs/images/bcs-partner-advanced-management-add-domain-2.svg
new file mode 100644
index 0000000000..2fab39dd10
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-add-domain-2.svg
@@ -0,0 +1,75 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-10, .cls-2, .cls-4, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #bad80a;
+      }
+
+      .cls-10, .cls-2, .cls-3, .cls-6, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3, .cls-6, .cls-7 {
+        fill: none;
+      }
+
+      .cls-3, .cls-6, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-3 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        fill: #556a8a;
+      }
+
+      .cls-10 {
+        stroke: #7750a3;
+      }
+
+      .cls-11 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-add-domain-</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M275.1,62.53C272.35,41.87,256,26,236.15,26c-19.39,0-35.49,15.19-38.75,35.19a25.49,25.49,0,0,0-17.16-6.74c-12.39,0-22.79,9.12-25.86,21.5a21.69,21.69,0,0,0-5.56-.75c-12.94,0-23.43,11.37-23.43,25.4S135.87,126,148.81,126H280.57C293.94,123.06,304,109.61,304,94.25,304,76.86,291.1,62.76,275.1,62.53Z"/>
+    <path class="cls-2" d="M157.6,42.44v-.5a20,20,0,0,0-.65-5,18,18,0,0,0-29.54-12.77C123,18.71,117.46,16,110,16,96.85,16,86.92,27.46,86.7,40.39c0,.89.22,1.56.22,2.45C80,46.18,76,52,76,59.34c0,10.52,8.27,18.94,19.23,19.56C96.24,86.2,102.79,93,114,93c9.46,0,15.1.76,22-7a23.25,23.25,0,0,0,11,3c13.25,0,24-11.75,24-25A24,24,0,0,0,157.6,42.44Z"/>
+    <line class="cls-3" x1="219" y1="44" x2="263" y2="29"/>
+    <line class="cls-3" x1="219" y1="96" x2="263" y2="111"/>
+    <g>
+      <g>
+        <circle class="cls-4" cx="184.79" cy="70" r="49.64"/>
+        <path class="cls-5" d="M184.36,120c-27,0-49.14-21.51-49.35-47.94V70.63h98.72v1.43C233.5,98.49,211.36,120,184.36,120Z"/>
+        <circle class="cls-6" cx="184.79" cy="70" r="49.64"/>
+        <ellipse class="cls-6" cx="184.79" cy="70" rx="21.84" ry="49.64"/>
+        <line class="cls-6" x1="135" y1="71" x2="235" y2="71"/>
+        <rect class="cls-7" x="135.72" y="20.36" width="99.28" height="99.28"/>
+      </g>
+      <path class="cls-6" d="M226.18,41.78c-9.36,4.12-24.25,6.78-41,6.78s-31.67-2.66-41-6.78"/>
+      <path class="cls-6" d="M226.18,98.56c-9.36-4.12-24.25-6.78-41-6.78s-31.67,2.66-41,6.78"/>
+    </g>
+    <path class="cls-8" d="M116.32,61.92a11.79,11.79,0,0,1-.45-1.88,13.67,13.67,0,0,1-.2-2.3,7.14,7.14,0,0,1,.71-3.21,13.29,13.29,0,0,1,1.77-2.69,26.79,26.79,0,0,1,2.31-2.41q1.25-1.16,2.31-2.34a13.35,13.35,0,0,0,1.77-2.48,5.83,5.83,0,0,0,.71-2.85,5.23,5.23,0,0,0-.51-2.37,5,5,0,0,0-1.41-1.73,6.19,6.19,0,0,0-2.06-1,8.64,8.64,0,0,0-2.48-.35,10.79,10.79,0,0,0-8.15,3.7v-4.9a16.37,16.37,0,0,1,8.82-2.67,13.86,13.86,0,0,1,4,.56,9.81,9.81,0,0,1,3.27,1.66,7.8,7.8,0,0,1,2.21,2.74,8.54,8.54,0,0,1,.81,3.81,8.9,8.9,0,0,1-.72,3.67,13.32,13.32,0,0,1-1.82,3,23.56,23.56,0,0,1-2.38,2.52q-1.28,1.17-2.38,2.32a12.74,12.74,0,0,0-1.82,2.41,5.41,5.41,0,0,0-.72,2.76,8.24,8.24,0,0,0,.31,2.32,16.57,16.57,0,0,0,.61,1.77Zm2.5,11.58a3.07,3.07,0,0,1-2.17-.89,2.91,2.91,0,0,1-.92-2.17,2.85,2.85,0,0,1,.92-2.17,3,3,0,0,1,4.34,0,2.86,2.86,0,0,1,.92,2.17,2.91,2.91,0,0,1-.92,2.17A3.08,3.08,0,0,1,118.83,73.5Z"/>
+    <rect class="cls-9" x="285" y="54" width="28" height="28"/>
+    <rect class="cls-10" x="255" y="18" width="28" height="28"/>
+    <rect class="cls-10" x="255" y="90" width="28" height="28"/>
+    <line class="cls-3" x1="238" y1="70" x2="282" y2="70"/>
+    <polygon class="cls-11" points="308 66 301 66 301 59 297 59 297 66 290 66 290 70 297 70 297 77 301 77 301 70 308 70 308 66"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-add-user-1.svg b/bcs/images/bcs-partner-advanced-management-add-user-1.svg
new file mode 100644
index 0000000000..30bebd62f4
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-add-user-1.svg
@@ -0,0 +1,69 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-2, .cls-3, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-1, .cls-6, .cls-7 {
+        fill-rule: evenodd;
+      }
+
+      .cls-2, .cls-4 {
+        stroke: #556a8a;
+      }
+
+      .cls-3 {
+        fill: none;
+        stroke: #a7a9ac;
+      }
+
+      .cls-4 {
+        fill: #80def9;
+      }
+
+      .cls-5 {
+        fill: #00b294;
+      }
+
+      .cls-6 {
+        fill: #00bcf2;
+      }
+
+      .cls-7 {
+        fill: #9273b6;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-add-user-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M288,58.5A39.49,39.49,0,1,1,248.5,19,39.3,39.3,0,0,1,288,58.5Z"/>
+    <rect class="cls-2" x="130" y="30" width="117" height="73"/>
+    <rect class="cls-2" x="138" y="38" width="117" height="73"/>
+    <rect class="cls-2" x="146" y="46" width="117" height="73"/>
+    <line class="cls-3" x1="213" y1="71" x2="251" y2="71"/>
+    <line class="cls-3" x1="213" y1="79" x2="251" y2="79"/>
+    <line class="cls-3" x1="213" y1="87" x2="251" y2="87"/>
+    <g>
+      <circle class="cls-4" cx="182.5" cy="71" r="15"/>
+      <path class="cls-4" d="M159,110a23.51,23.51,0,1,1,47,0"/>
+    </g>
+    <circle class="cls-2" cx="133" cy="46" r="24"/>
+    <polygon class="cls-5" points="150 42 136 42 136 28 129 28 129 42 115 42 115 49 129 49 129 63 136 63 136 49 150 49 150 42"/>
+    <g>
+      <path class="cls-6" d="M112,73a12,12,0,1,1-12-12A11.94,11.94,0,0,1,112,73Z"/>
+      <path class="cls-6" d="M300,80a12,12,0,1,1-12-12A11.94,11.94,0,0,1,300,80Z"/>
+      <path class="cls-7" d="M281,102a6,6,0,1,1-6-6A6,6,0,0,1,281,102Z"/>
+      <path class="cls-7" d="M92,44a6,6,0,1,1-6-6A6,6,0,0,1,92,44Z"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg b/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg
new file mode 100644
index 0000000000..bd992b7c7f
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-auto-pilot-3.svg
@@ -0,0 +1,88 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2 {
+        fill: #adbdca;
+      }
+
+      .cls-3, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-10, .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-12, .cls-5 {
+        fill: none;
+      }
+
+      .cls-10, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-12, .cls-5, .cls-6 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+
+      .cls-8 {
+        fill: #ffb900;
+      }
+
+      .cls-9 {
+        fill: #ffc52b;
+      }
+
+      .cls-11 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        stroke: #fff;
+        fill-rule: evenodd;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-auto-pilot-3</title>
+  <g id="ICONS">
+    <g>
+      <polygon class="cls-1" points="257.5 129 140.5 129 147.82 121 250.65 121 257.5 129"/>
+      <polygon class="cls-2" points="246.5 127 151.5 127 154.84 123 243.26 123 246.5 127"/>
+      <polygon class="cls-1" points="224.5 110 172.5 110 166.5 115 230.5 115 224.5 110"/>
+      <polygon class="cls-1" points="202 114 195 114 196.4 100 200.6 100 202 114"/>
+      <rect class="cls-3" x="123.5" y="20" width="151" height="82" rx="4" ry="4"/>
+      <path class="cls-4" d="M274,24V36H123V24a4,4,0,0,1,4-4H270A4,4,0,0,1,274,24Z"/>
+      <rect class="cls-5" x="123" y="20" width="151" height="82" rx="4" ry="4" transform="translate(397 122) rotate(180)"/>
+    </g>
+    <g>
+      <rect class="cls-6" x="100" y="51" width="36" height="68" rx="4" ry="4"/>
+      <rect class="cls-4" x="103" y="60" width="30" height="49"/>
+      <path class="cls-1" d="M122.19,57h-8.38a1,1,0,0,1,0-2h8.38a1,1,0,0,1,0,2Z"/>
+      <circle class="cls-1" cx="106.5" cy="113.5" r="1.5"/>
+      <circle class="cls-1" cx="130.5" cy="113.5" r="1.5"/>
+      <rect class="cls-1" x="113" y="113" width="10" height="2" rx="1" ry="1"/>
+    </g>
+    <g>
+      <polygon class="cls-7" points="117 82 117 74.47 108 75.55 108 82 117 82"/>
+      <polygon class="cls-7" points="118 82 128 82 128 72.94 118 74.35 118 82"/>
+      <polygon class="cls-7" points="118 83 118 91.43 128 92.91 128 83 118 83"/>
+      <polygon class="cls-7" points="117 83 108 83 108 90.14 117 91.3 117 83"/>
+    </g>
+    <g>
+      <path class="cls-8" d="M278.2,39l15.4-26h-19l-25,38h17.6L251,80.65l11.65-10.31L298,39Z"/>
+      <path class="cls-9" d="M298,39H278.2l15.4-26h-13l-25,38h17.6L262.62,70.34Z"/>
+    </g>
+    <path class="cls-10" d="M171.11,66.47l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59l1.11,2.73a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48A1.1,1.1,0,0,0,198.28,94l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49L212.86,91a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34A5.66,5.66,0,0,0,213,85c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15L221.27,85l.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87l4.48-.61a1.42,1.42,0,0,0,1-1.28V62.67a1.36,1.36,0,0,0-.93-1.29l-4.65-.51a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44l-2.22-2.26a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L210,35.66a1.38,1.38,0,0,0-1.45.47L206.33,40c-1,0-1.92-.33-2.88-.35L203,35a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85A1.11,1.11,0,0,0,190,35.7l-2.72,1.11a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L178,43.47l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85L179,51c-.1.2-.2.41-.29.63l-4.47-1.3A1.09,1.09,0,0,0,173,51l-1.3,2.88a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,171.11,66.47Z"/>
+    <path class="cls-11" d="M186.16,58.14A15,15,0,1,1,185,64,14.82,14.82,0,0,1,186.16,58.14Z"/>
+    <polyline class="cls-12" points="189.24 64.1 196.99 71.85 211.24 57.6"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-faq-2.svg b/bcs/images/bcs-partner-advanced-management-faq-2.svg
new file mode 100644
index 0000000000..a89de48058
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-faq-2.svg
@@ -0,0 +1,88 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-4 {
+        stroke: #556a8a;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-1, .cls-10, .cls-4, .cls-6, .cls-7 {
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-4, .cls-6 {
+        fill: none;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        stroke: #bcbec0;
+      }
+
+      .cls-10, .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+        stroke: #00bcf2;
+      }
+
+      .cls-8 {
+        fill: #d1e55c;
+      }
+
+      .cls-9 {
+        fill: #ddec85;
+      }
+
+      .cls-10 {
+        stroke: #bad80a;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-faq-2</title>
+  <g>
+    <g>
+      <rect class="cls-1" x="126" y="26" width="124" height="97"/>
+      <path class="cls-2" d="M188,121a13.75,13.75,0,0,0-9-4H137V20h43c7,0,8,10,8,10s1-10,8-10h43v97H197a13.75,13.75,0,0,0-9,4"/>
+      <rect class="cls-3" x="187" y="27" width="2" height="93.32"/>
+      <path class="cls-4" d="M188,121a13.75,13.75,0,0,0-9-4H137V20h43c7,0,8,10,8,10s1-10,8-10h43v97H197a13.75,13.75,0,0,0-9,4"/>
+      <rect class="cls-5" x="138" y="21" width="15" height="95"/>
+    </g>
+    <rect class="cls-5" x="223" y="21" width="15" height="95"/>
+  </g>
+  <g>
+    <line class="cls-6" x1="158" y1="38" x2="180" y2="38"/>
+    <line class="cls-6" x1="158" y1="53" x2="180" y2="53"/>
+    <line class="cls-6" x1="158" y1="68" x2="180" y2="68"/>
+    <line class="cls-6" x1="158" y1="83" x2="180" y2="83"/>
+    <line class="cls-6" x1="158" y1="99" x2="180" y2="99"/>
+  </g>
+  <circle class="cls-7" cx="250.88" cy="67" r="33"/>
+  <path class="cls-2" d="M248.77,75.8a12.58,12.58,0,0,1-.46-1.94,14.23,14.23,0,0,1-.2-2.38,7.4,7.4,0,0,1,.73-3.33,13.76,13.76,0,0,1,1.83-2.78,27.64,27.64,0,0,1,2.39-2.49q1.3-1.2,2.39-2.42a13.8,13.8,0,0,0,1.83-2.56,6,6,0,0,0,.73-3,5.4,5.4,0,0,0-.53-2.45A5.17,5.17,0,0,0,256,50.71a6.39,6.39,0,0,0-2.13-1.08,9,9,0,0,0-2.56-.36,11.18,11.18,0,0,0-8.44,3.83V48A17,17,0,0,1,252,45.26a14.35,14.35,0,0,1,4.12.58,10.16,10.16,0,0,1,3.39,1.71,8.07,8.07,0,0,1,2.29,2.84,8.85,8.85,0,0,1,.84,3.95,9.2,9.2,0,0,1-.75,3.8A13.7,13.7,0,0,1,260,61.21a24.4,24.4,0,0,1-2.46,2.61q-1.33,1.21-2.46,2.41a13.13,13.13,0,0,0-1.89,2.49,5.59,5.59,0,0,0-.75,2.85,8.51,8.51,0,0,0,.32,2.41,17.19,17.19,0,0,0,.63,1.83Zm2.59,12a3.19,3.19,0,0,1-2.25-.92,3,3,0,0,1-1-2.25,3,3,0,0,1,1-2.25,3.13,3.13,0,0,1,4.49,0,3,3,0,0,1,1,2.25,3,3,0,0,1-1,2.25A3.19,3.19,0,0,1,251.37,87.79Z"/>
+  <g>
+    <circle class="cls-1" cx="286" cy="87.27" r="17"/>
+    <path class="cls-3" d="M284.58,91.83a5.88,5.88,0,0,1-.22-.92,6.7,6.7,0,0,1-.1-1.13,3.51,3.51,0,0,1,.35-1.58,6.51,6.51,0,0,1,.87-1.32,13,13,0,0,1,1.13-1.18q.62-.57,1.13-1.15a6.6,6.6,0,0,0,.87-1.22,2.87,2.87,0,0,0,.35-1.4,2.56,2.56,0,0,0-.25-1.16,2.46,2.46,0,0,0-.69-.85,3,3,0,0,0-1-.51,4.24,4.24,0,0,0-1.22-.17,5.3,5.3,0,0,0-4,1.82V78.65a8,8,0,0,1,4.33-1.31,6.8,6.8,0,0,1,2,.27,4.81,4.81,0,0,1,1.61.81,3.84,3.84,0,0,1,1.09,1.35,4.21,4.21,0,0,1,.4,1.87,4.38,4.38,0,0,1-.36,1.8,6.53,6.53,0,0,1-.9,1.46,11.58,11.58,0,0,1-1.17,1.24q-.63.57-1.17,1.14a6.22,6.22,0,0,0-.9,1.18,2.65,2.65,0,0,0-.36,1.35,4,4,0,0,0,.15,1.14,8,8,0,0,0,.3.87Zm1.23,5.69a1.51,1.51,0,0,1-1.07-.44,1.43,1.43,0,0,1-.45-1.07,1.4,1.4,0,0,1,.45-1.07,1.49,1.49,0,0,1,2.13,0,1.4,1.4,0,0,1,.45,1.07,1.43,1.43,0,0,1-.45,1.07A1.51,1.51,0,0,1,285.81,97.51Z"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M130.93,81.12H93.44c-2.78,0-4.44-2.41-4.44-5V39.22c0-2.6,1.7-4.22,4.44-4.22h51c2.73,0,5.55,1.58,5.55,4.22v36.9c0,2.61-2.8,5-5.55,5H141V92Z"/>
+    <g>
+      <path class="cls-9" d="M89,38.94V71l36-36H92.94A3.61,3.61,0,0,0,89,38.94Z"/>
+      <path class="cls-10" d="M130.93,81.12H93.44c-2.78,0-4.44-2.41-4.44-5V39.22c0-2.6,1.7-4.22,4.44-4.22h51c2.73,0,5.55,1.58,5.55,4.22v36.9c0,2.61-2.8,5-5.55,5H141V92Z"/>
+    </g>
+    <path class="cls-3" d="M116.2,64.45a9.18,9.18,0,0,1-.34-1.45,10.6,10.6,0,0,1-.15-1.77,5.52,5.52,0,0,1,.55-2.48,10.25,10.25,0,0,1,1.36-2.07,20.67,20.67,0,0,1,1.78-1.86q1-.89,1.78-1.8a10.31,10.31,0,0,0,1.36-1.91,4.5,4.5,0,0,0,.55-2.2,4,4,0,0,0-.4-1.83,3.87,3.87,0,0,0-1.08-1.33,4.77,4.77,0,0,0-1.59-.81,6.68,6.68,0,0,0-1.91-.27,8.33,8.33,0,0,0-6.29,2.86V43.74a12.64,12.64,0,0,1,6.81-2.06,10.71,10.71,0,0,1,3.07.43,7.58,7.58,0,0,1,2.52,1.28,6,6,0,0,1,1.71,2.12,6.6,6.6,0,0,1,.62,2.94,6.87,6.87,0,0,1-.56,2.84,10.26,10.26,0,0,1-1.41,2.29,18.26,18.26,0,0,1-1.84,1.94q-1,.9-1.84,1.79a9.82,9.82,0,0,0-1.41,1.86,4.17,4.17,0,0,0-.56,2.13,6.34,6.34,0,0,0,.24,1.79,12.57,12.57,0,0,0,.47,1.36Zm1.93,8.94a2.37,2.37,0,0,1-1.68-.69,2.24,2.24,0,0,1-.71-1.68,2.2,2.2,0,0,1,.71-1.68,2.33,2.33,0,0,1,3.35,0,2.2,2.2,0,0,1,.71,1.68,2.24,2.24,0,0,1-.71,1.68A2.38,2.38,0,0,1,118.13,73.39Z"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-find-partner-1.svg b/bcs/images/bcs-partner-advanced-management-find-partner-1.svg
new file mode 100644
index 0000000000..ffae69af7c
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-find-partner-1.svg
@@ -0,0 +1,105 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #bad80a;
+      }
+
+      .cls-2 {
+        fill: #d1e55c;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #d1d3d4;
+      }
+
+      .cls-5 {
+        fill: #2bc7f4;
+      }
+
+      .cls-6 {
+        fill: #aae9fb;
+      }
+
+      .cls-7, .cls-9 {
+        fill: none;
+        stroke-linecap: round;
+      }
+
+      .cls-7 {
+        stroke: #fff;
+        stroke-linejoin: round;
+        stroke-width: 0.06px;
+      }
+
+      .cls-8 {
+        fill: #414042;
+      }
+
+      .cls-11, .cls-12, .cls-9 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-10 {
+        fill: #008272;
+      }
+
+      .cls-11 {
+        fill: #55a5e4;
+      }
+
+      .cls-12 {
+        fill: #55d2f6;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-fid-oartner-1</title>
+  <polygon class="cls-1" points="81.17 114.79 97.37 67 116 114.79 81.17 114.79"/>
+  <polygon class="cls-2" points="121 113.36 131.63 82 143.85 113.36 121 113.36"/>
+  <path class="cls-1" d="M295.6,130c-12.66-10.93-56.88-22-109.5-22S89.26,119.07,76.6,130Z"/>
+  <g>
+    <polygon class="cls-3" points="140.72 57.6 137.38 58.66 137.38 58.67 134.63 59.54 130.25 60.94 128.41 55.09 132.54 53.73 135.59 52.72 138.78 51.66 140.72 57.6"/>
+    <polygon class="cls-4" points="134.75 54.64 134.75 55.31 129.16 57.43 128.78 56.27 134.56 54.34 134.75 54.64"/>
+    <polygon class="cls-5" points="138.41 58.34 138.4 58.35 135.66 59.22 133.57 53.41 136.61 52.4 138.41 58.34"/>
+    <polygon class="cls-3" points="168.53 52.77 137.78 60.48 136 54.86 135.45 53.11 134.75 50.92 164.13 38.95 168.53 52.77"/>
+    <path class="cls-6" d="M262.57,41v-.58a23.41,23.41,0,0,0-.76-5.81,21.05,21.05,0,0,0-34.6-15C222.09,13.2,215.57,10,206.82,10c-15.41,0-27,13.44-27.29,28.59,0,1,.26,1.83.26,2.87C171.7,45.38,167,52.17,167,60.79c0,12.32,9.69,22.19,22.53,22.91,1.18,8.55,8.85,16.49,22,16.49,11.08,0,17.69.9,25.77-8.2a27.23,27.23,0,0,0,12.88,3.51c15.53,0,28.11-13.76,28.11-29.28A28.11,28.11,0,0,0,262.57,41Z"/>
+    <polygon class="cls-3" points="212.41 43.87 212.4 43.87 209.27 44.66 159.66 57.06 159.37 57.13 156.64 57.82 151.54 41.83 154.53 40.62 154.55 40.61 201.93 21.41 204.87 20.22 204.89 20.21 212.41 43.87"/>
+    <polygon class="cls-4" points="155.03 48.02 136 54.86 135.45 53.11 154.48 46.35 155.03 48.02"/>
+    <polygon class="cls-3" points="218.93 43.68 212.87 45.63 204.24 18.53 210.3 16.59 218.93 43.68 218.93 43.68"/>
+    <polygon class="cls-7" points="218.93 43.68 212.87 45.63 204.24 18.53 210.3 16.59 218.93 43.68 218.93 43.68"/>
+    <polygon class="cls-4" points="204.66 25.92 155.41 43.49 155.59 44.14 156.14 45.91 205.85 28.54 204.66 25.92"/>
+    <polygon class="cls-4" points="213.47 26.57 207.5 28.82 206.18 29.32 204.88 25.42 206.26 24.92 212.25 22.76 213.47 26.57"/>
+  </g>
+  <polygon class="cls-5" points="159.37 57.13 156.64 57.82 151.54 41.83 154.53 40.62 159.37 57.13"/>
+  <polygon class="cls-5" points="212.5 43.96 209.37 44.75 202.03 21.5 204.97 20.31 212.5 43.96"/>
+  <g>
+    <path class="cls-8" d="M175.58,118.7v0S175.61,118.73,175.58,118.7Z"/>
+    <path class="cls-3" d="M177,54.81v39h3v-39a4.08,4.08,0,0,0,3-4.08,4.33,4.33,0,0,0-4.35-4.45,4.45,4.45,0,0,0-4.43,4.45C174.27,52.59,176,54.26,177,54.81Z"/>
+    <path class="cls-3" d="M189.94,124.25l-5.87-16.15c.55-.19.44-.19.44-.19-4.41-12-4.51-12-4.51-12V91h-3v4.95c-4,12-4.18,12-4.18,12a3.87,3.87,0,0,0,.62.19c-5.87,16.15-5.84,16.15-5.84,16.15a1,1,0,0,0,.57,1.21,1,1,0,0,0,1.2-.56c5.87-16.15,5.88-16.15,5.88-16.15a1.37,1.37,0,0,1,.33.16,38.14,38.14,0,0,0,1.42-4.29V124c0,.46,0,2,1.5,2s1.5-1.54,1.5-2V110h0v-5.42c2,4.36,1.76,4.36,1.76,4.36a2.93,2.93,0,0,1,.51-.19c5.87,16.15,5.9,16.15,5.9,16.15a.94.94,0,0,0,1.77-.65Z"/>
+  </g>
+  <g>
+    <polyline class="cls-9" points="232 63.95 232 77 254.05 77"/>
+    <polygon class="cls-3" points="224.64 69.92 225.96 71.14 232 64.64 238.04 71.14 239.36 69.92 232 62 224.64 69.92"/>
+    <polygon class="cls-3" points="248.08 84.36 246.86 83.04 253.36 77 246.86 70.96 248.08 69.64 256 77 248.08 84.36"/>
+  </g>
+  <g>
+    <polyline class="cls-9" points="280 37.05 280 24 257.95 24"/>
+    <polygon class="cls-3" points="287.36 31.08 286.04 29.86 280 36.36 273.96 29.86 272.64 31.08 280 39 287.36 31.08"/>
+    <polygon class="cls-3" points="263.92 16.64 265.14 17.96 258.64 24 265.14 30.04 263.92 31.36 256 24 263.92 16.64"/>
+  </g>
+  <polygon class="cls-10" points="97 125.79 113.2 78 131.83 125.79 97 125.79"/>
+  <g>
+    <circle class="cls-11" cx="241" cy="31" r="10"/>
+    <path class="cls-11" d="M226.77,55.17c0-7.73,6.54-14,14.61-14S256,47.44,256,55.17"/>
+  </g>
+  <g>
+    <circle class="cls-12" cx="272" cy="66" r="10"/>
+    <path class="cls-12" d="M257.77,91c0-7.73,6.54-14,14.61-14S287,83.27,287,91"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-find-partner-2.svg b/bcs/images/bcs-partner-advanced-management-find-partner-2.svg
new file mode 100644
index 0000000000..221c47548e
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-find-partner-2.svg
@@ -0,0 +1,73 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3, .cls-5, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-10, .cls-3, .cls-8, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #55d2f6;
+      }
+
+      .cls-3 {
+        stroke: #bad80a;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-5 {
+        opacity: 0.12;
+      }
+
+      .cls-7 {
+        fill: #aae9fb;
+      }
+
+      .cls-10, .cls-8 {
+        fill: none;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-9 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10 {
+        stroke-dasharray: 3 3;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-find-partner-2</title>
+  <path class="cls-1" d="M116,61.69a39.37,39.37,0,0,1,77.71-1.23,26.79,26.79,0,0,1,43,13.62c1.79-.44,3.07,3.92,5,3.92,12.94,0,21,5.88,21,18.81,0,16.19-17.06,23.43-30,23.43H110.55C97.19,117.52,87.12,105.12,87.12,91A29.27,29.27,0,0,1,116,61.69Z"/>
+  <path class="cls-2" d="M156.16,87.43A14.65,14.65,0,0,0,153.52,83a20.36,20.36,0,0,0-5.6-5v-.49a16.44,16.44,0,0,0-16.42-16.21,16.14,16.14,0,0,0-8.71,2.43,22,22,0,0,0-17.63-8.92A21.63,21.63,0,0,0,83.47,76.16c0,.81.2,1.42.2,2.23-6.28,3-9.93,8.31-9.93,15,0,9.56,7.52,17.22,17.49,17.78.92,6.64,9.28,11.84,19.48,11.84,8.69,0,16-3.78,18.6-9a20.28,20.28,0,0,0,26.86-26.57Z"/>
+  <path class="cls-3" d="M326.67,46.55A11.72,11.72,0,0,0,324.57,43a16.29,16.29,0,0,0-4.48-4v-.39a13.15,13.15,0,0,0-13.13-13,12.91,12.91,0,0,0-7,1.95,17.58,17.58,0,0,0-14.11-7.13,17.3,17.3,0,0,0-17.35,17c0,.65.16,1.13.16,1.78-5,2.43-7.94,6.65-7.94,12,0,7.65,6,13.78,14,14.22.73,5.31,7.43,9.47,15.58,9.47,6.95,0,12.83-3,14.88-7.2a16.23,16.23,0,0,0,21.48-21.26Z"/>
+  <g>
+    <path class="cls-4" d="M276.58,106.62l-1.11,1.11-3,3a4,4,0,0,1-5.66,0L222,65.94a4,4,0,0,1,0-5.66l4.11-4.11a4,4,0,0,1,5.66,0L276.58,101A4,4,0,0,1,276.58,106.62Z"/>
+    <path class="cls-5" d="M276.58,106.62l-1.11,1.11a4,4,0,0,1-5.66,0L225,62.94a4,4,0,0,1,0-5.66l1.11-1.11a4,4,0,0,1,5.66,0L276.58,101A4,4,0,0,1,276.58,106.62Z"/>
+    <path class="cls-6" d="M215.86,12a36.17,36.17,0,0,0-36.12,36.13c0,.62,0,1.26.05,1.88a36.12,36.12,0,0,0,72.14,0c0-.62.05-1.26.05-1.9A36.18,36.18,0,0,0,215.86,12Z"/>
+    <path class="cls-7" d="M252.78,48c0,.64,0,1.28-.05,1.9H180.59c0-.62-.05-1.26-.05-1.88a36.12,36.12,0,0,1,72.25,0Z"/>
+    <path class="cls-8" d="M180.14,48.1A36.12,36.12,0,1,0,216.25,12,36.16,36.16,0,0,0,180.14,48.1Z"/>
+  </g>
+  <g>
+    <circle class="cls-9" cx="216.75" cy="37.68" r="11.98"/>
+    <path class="cls-9" d="M198.11,68.3a18.63,18.63,0,1,1,37.27,0"/>
+  </g>
+  <g>
+    <path class="cls-10" d="M89.75,91V54c.05-5.36,4-13,13-13s13,6.85,13,13V78c0,8.55,6.82,15,13,15s12.91-7.89,12.91-17c0-7.82-2.09-18,12.75-18h17.16"/>
+    <polygon class="cls-4" points="164.95 66.18 163.59 64.72 170.81 58 163.59 51.29 164.95 49.82 173.75 58 164.95 66.18"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-intune-1.svg b/bcs/images/bcs-partner-advanced-management-intune-1.svg
new file mode 100644
index 0000000000..ba86b50274
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-intune-1.svg
@@ -0,0 +1,76 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-5 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-3 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #80def9;
+      }
+
+      .cls-3 {
+        fill: #fcfcfc;
+        stroke: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7 {
+        fill: #aae9fb;
+      }
+
+      .cls-8 {
+        fill: #999;
+      }
+
+      .cls-9 {
+        fill: #acacac;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-intune-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M178,50.13v-.58a23.51,23.51,0,0,0-.76-5.84,21.14,21.14,0,0,0-34.74-15C137.32,22.22,130.77,19,122,19c-15.47,0-27.14,13.5-27.4,28.71,0,1,.26,1.84.26,2.88C86.72,54.53,82,61.34,82,70c0,12.37,9.73,22.28,22.62,23,1.19,8.59,8.88,16.56,22.07,16.56,11.12,0,17.76.9,25.87-8.23a27.34,27.34,0,0,0,12.94,3.53c15.59,0,28.23-13.81,28.23-29.4A28.22,28.22,0,0,0,178,50.13Z"/>
+    <g>
+      <path class="cls-2" d="M299.79,74.62a.06.06,0,0,1-.06-.05,32.53,32.53,0,0,0-64.2-1.07.06.06,0,0,1-.1,0A22.14,22.14,0,0,0,200,84.79a.06.06,0,0,1-.07,0A19.3,19.3,0,0,0,176,104.52C176.48,115,185.51,123,196,123h108.3c11-2.25,19.35-12.49,19.35-24.2A24.19,24.19,0,0,0,299.79,74.62Z"/>
+      <g>
+        <rect class="cls-3" x="152" y="33" width="103" height="76" rx="4" ry="4"/>
+        <path class="cls-4" d="M259.86,114H147.38c-3.77,0-4.38-2-4.38-2H264A4.86,4.86,0,0,1,259.86,114Z"/>
+        <polygon class="cls-4" points="142.9 112 151.7 106 254 106 263.9 112 142.9 112"/>
+        <polygon class="cls-5" points="147 112 152.32 108 253.44 108 259 112 147 112"/>
+        <rect class="cls-6" x="157" y="39" width="93" height="59"/>
+      </g>
+    </g>
+    <g>
+      <rect class="cls-3" x="128" y="60" width="33" height="61" rx="4" ry="4"/>
+      <rect class="cls-7" x="132" y="68" width="25" height="44"/>
+      <path class="cls-8" d="M149.19,66h-8.38a1,1,0,0,1,0-2h8.38a1,1,0,0,1,0,2Z"/>
+      <path class="cls-8" d="M146.68,117h-3.35c-.18,0-.32-.45-.32-1s.15-1,.32-1h3.35c.18,0,.32.45.32,1S146.85,117,146.68,117Z"/>
+    </g>
+    <polygon class="cls-9" points="204.5 104.05 201.2 103.59 201.2 101.42 204.5 100.75 204.5 104.05"/>
+    <g id="Layer_80" data-name="Layer 80">
+      <g>
+        <polygon class="cls-4" points="219.91 80.22 227.25 74.87 219.91 69.53 219.91 80.22"/>
+        <polygon class="cls-4" points="219.91 80.58 227.25 74.87 219.91 69.17 219.91 80.58"/>
+        <path class="cls-4" d="M222,77V73H175V47h42V57h3V46a2.26,2.26,0,0,0-2.23-2H173.58c-1.07,0-2.58.94-2.58,2V74.52A3.11,3.11,0,0,0,173.58,77H191c.07,5,0,6.43-11,6.43V86h31V83.43c-11,0-10.76-1.43-10.69-6.43Z"/>
+        <path class="cls-4" d="M231.32,59H199.88a4.35,4.35,0,0,0-4.21-3,4.46,4.46,0,1,0,0,8.91c1.92,0,3.56-1.87,4.21-2.87H230V89H217V78h-4V91.27A1.85,1.85,0,0,0,214.92,93h16.39A1.64,1.64,0,0,0,233,91.27v-31C233,59.26,232.32,59,231.32,59ZM225,91h-4V90h4Z"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-learn-about-1.svg b/bcs/images/bcs-partner-advanced-management-learn-about-1.svg
new file mode 100644
index 0000000000..5237e929eb
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-learn-about-1.svg
@@ -0,0 +1,70 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2, .cls-6, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-4, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-4, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        opacity: 0.16;
+      }
+
+      .cls-7 {
+        fill: #55d2f6;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-learn-about-1</title>
+  <path class="cls-1" d="M163.26,40.11v-.55a22,22,0,0,0-.71-5.46,19.77,19.77,0,0,0-32.5-14C125.24,14,119.11,11,110.9,11,96.43,11,85.52,23.63,85.27,37.85c0,1,.25,1.72.25,2.7-7.6,3.68-12,10.05-12,18.15,0,11.57,9.1,20.84,21.16,21.51,1.11,8,8.31,15.49,20.64,15.49,10.4,0,16.61.84,24.2-7.7a25.57,25.57,0,0,0,12.1,3.3c14.58,0,26.4-12.92,26.4-27.5A26.4,26.4,0,0,0,163.26,40.11Z"/>
+  <path class="cls-2" d="M280,28v76a2,2,0,0,1-2,2H160a2,2,0,0,1-2-2V28a2,2,0,0,1,2-2H278A2,2,0,0,1,280,28Z"/>
+  <path class="cls-3" d="M173,27v79H160a2,2,0,0,1-1-.29V27Z"/>
+  <path class="cls-3" d="M266,27v79h13a2,2,0,0,0,1-.29V27Z"/>
+  <rect class="cls-4" x="158.04" y="26" width="122" height="80" rx="2" ry="2"/>
+  <g>
+    <ellipse class="cls-5" cx="109.5" cy="29.46" rx="10" ry="12.46"/>
+    <path class="cls-5" d="M92.5,101.43V140h11.09c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L143,52.64,127.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L92,47.6A8.84,8.84,0,0,0,86.48,52,11.43,11.43,0,0,0,85.2,56.4c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,92.5,101.43Z"/>
+    <path class="cls-6" d="M163.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L133.5,99l-47-47A8.84,8.84,0,0,1,92,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L143,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+  </g>
+  <rect class="cls-5" x="152" y="23" width="135" height="5"/>
+  <g>
+    <path class="cls-2" d="M219.36,121a43.94,43.94,0,1,1,31-12.86,43.62,43.62,0,0,1-31,12.86Z"/>
+    <path class="cls-3" d="M188.19,45.86a43.56,43.56,0,0,1,61.6,61.6Z"/>
+    <path class="cls-5" d="M219.36,35a42.66,42.66,0,1,1-30.14,12.49A42.35,42.35,0,0,1,219.36,35m0-2a44.66,44.66,0,1,0,31.56,13.08A44.49,44.49,0,0,0,219.36,33Z"/>
+    <polygon class="cls-7" points="192.89 51.16 211.21 85.78 245.83 104.11 223.68 71.87 192.89 51.16"/>
+    <polygon class="cls-8" points="192.89 51.16 245.83 104.11 227.51 69.48 192.89 51.16"/>
+    <line class="cls-9" x1="219.72" y1="40.19" x2="219.72" y2="50.27"/>
+    <line class="cls-9" x1="219.72" y1="104.99" x2="219.72" y2="115.07"/>
+    <line class="cls-9" x1="181.92" y1="77" x2="192" y2="77"/>
+    <line class="cls-9" x1="246.72" y1="77" x2="256.8" y2="77"/>
+    <circle class="cls-2" cx="219.36" cy="77.63" r="4.32"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-password-3.svg b/bcs/images/bcs-partner-advanced-management-password-3.svg
new file mode 100644
index 0000000000..f1f91ab410
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-password-3.svg
@@ -0,0 +1,56 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2, .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #bad80a;
+      }
+
+      .cls-2, .cls-3, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: none;
+      }
+
+      .cls-3, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-password-3</title>
+  <g id="ICONS">
+    <g>
+      <path class="cls-1" d="M169.26,62.46l-5.21-1a20.86,20.86,0,0,0-.4-3.59l4.44-2.62a1.37,1.37,0,0,0,.84-1.84l-1.17-3.25a1.18,1.18,0,0,0-1.66-.64l-5.3.89-1.56-2.89,3.19-4a1.41,1.41,0,0,0,.08-1.87L160,38.91a1.69,1.69,0,0,0-1.88-.08l-4.27,2.81c-.91-.6-2-1.4-2.91-2l1.37-5.2a1.29,1.29,0,0,0-.68-1.54l-3.13-1.45a1.19,1.19,0,0,0-1.72.48l-3,4.57a10.81,10.81,0,0,0-3.34-.91l-.51-5.28a1.29,1.29,0,0,0-1.25-1.38l-3.57,0c-.56-.21-1.15.33-1.36.88l-1.19,5.4a11.12,11.12,0,0,0-3.41.59L126.53,31a1.9,1.9,0,0,0-1.66-.64l-3.45,1.35a1.27,1.27,0,0,0-.82,1.46l1.08,5.13c-1,.52-1.94,1.41-2.91,1.94l-4.17-3.39a1.22,1.22,0,0,0-1.69.11l-1.64,1.49-.91.84,0,0a1.21,1.21,0,0,0-.24,1.65l3,4.46a15.48,15.48,0,0,0-2.21,3.1l-5.18-1.74a1.67,1.67,0,0,0-1.74.86l-1.46,3.13a1.63,1.63,0,0,0,.67,1.91l4.38,2.83c-.43,1.11-.48,2.24-.91,3.35l-5.28.51a1.65,1.65,0,0,0-1.2,1.45L100,64.21a1.64,1.64,0,0,0,1,1.56l5.42.81a21.72,21.72,0,0,0,.57,3.78L102.22,73a1.19,1.19,0,0,0-.64,1.67l1.17,3.25a1.76,1.76,0,0,0,1.65,1l5.32-1.26,1.56,2.89-3.39,4.17a1.77,1.77,0,0,0,.11,1.7l2.51,2.74a1.42,1.42,0,0,0,1.67.27l4.47-3c.91.61,2,1.41,2.91,2l-1.36,5.21a1.26,1.26,0,0,0,.68,1.53l3.3,1.66a1.62,1.62,0,0,0,1.72-.49l2.83-4.39c1.13.05,2.24.48,3.36.53l.31,5.47a1.64,1.64,0,0,0,1.45,1.19l3.56.35a2.26,2.26,0,0,0,1.37-1.25l1-5.22c1.32-.13,2.46-.46,3.78-.58L144,97a1.29,1.29,0,0,0,1.67.64l3.24-1.17a1.53,1.53,0,0,0,1-1.65l-1.08-5.12a13.15,13.15,0,0,0,2.91-1.94l4.17,3.39a1.26,1.26,0,0,0,1.88.08l2.34-2.14.21-.19a1.33,1.33,0,0,0,.46-1,1.29,1.29,0,0,0-.38-.92l-3-4.47a9.25,9.25,0,0,0,2.21-3.09l5.19,1.74a1.28,1.28,0,0,0,1.53-.68L168,77.26a1.9,1.9,0,0,0-.49-1.72l-4.56-3a9.44,9.44,0,0,0,.71-3.17l5.49-.69c.57-.16,1.16-.7,1.18-1.08l.17-3.75A1.28,1.28,0,0,0,169.26,62.46ZM135,72.47a9,9,0,1,1,9-9A9,9,0,0,1,135,72.47Z"/>
+      <path class="cls-2" d="M260.25,53.36a39.37,39.37,0,0,0-77.71-1.23,26.79,26.79,0,0,0-43,13.62,23.42,23.42,0,1,0-5.56,46.16H265.72c13.37-2.71,23.43-15.12,23.43-29.28A29.27,29.27,0,0,0,260.25,53.36Z"/>
+      <g>
+        <rect class="cls-3" x="196.52" y="36.9" width="39" height="51" rx="12" ry="12"/>
+        <path class="cls-4" d="M248.52,116.17a2.84,2.84,0,0,1-2.84,2.83H187.37a2.84,2.84,0,0,1-2.84-2.83V70.83A2.84,2.84,0,0,1,187.37,68h58.31a2.84,2.84,0,0,1,2.84,2.83Z"/>
+        <path class="cls-5" d="M247.41,71v44.64L199.89,68.16h44.64A2.89,2.89,0,0,1,247.41,71Z"/>
+        <path class="cls-3" d="M247.52,116.17a2.84,2.84,0,0,1-2.84,2.83H186.37a2.84,2.84,0,0,1-2.84-2.83V70.83A2.84,2.84,0,0,1,186.37,68h58.31a2.84,2.84,0,0,1,2.84,2.83Z"/>
+      </g>
+      <g>
+        <path class="cls-6" d="M272.3,86.71a19.17,19.17,0,1,0-6.85,8.93v6.26h6.07v7h8v8h12V105.24Z"/>
+        <path class="cls-3" d="M272.3,86.71a19.17,19.17,0,1,0-6.85,8.93v6.26h6.07v7h8v8h12V105.24Z"/>
+        <circle class="cls-7" cx="249.33" cy="72.99" r="4.05"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg b/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg
new file mode 100644
index 0000000000..1a4d5ad540
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-resources-6_placeholder.svg
@@ -0,0 +1,37 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-4 {
+        stroke: #556a8a;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #2bc7f4;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-resources-6</title>
+  <g id="ICONS">
+    <rect class="cls-1" x="130" y="25" width="124" height="97"/>
+    <path class="cls-2" d="M192,120a13.75,13.75,0,0,0-9-4H141V19h43c7,0,8,10,8,10s1-10,8-10h43v97H201a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-3" x="191" y="26" width="2" height="93.32"/>
+    <path class="cls-4" d="M192,120a13.75,13.75,0,0,0-9-4H141V19h43c7,0,8,10,8,10s1-10,8-10h43v97H201a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-5" x="142" y="20" width="15" height="95"/>
+    <rect class="cls-5" x="227" y="20" width="15" height="95"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-settings-8.svg b/bcs/images/bcs-partner-advanced-management-settings-8.svg
new file mode 100644
index 0000000000..5b556a7ce0
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-settings-8.svg
@@ -0,0 +1,85 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #d1d3d4;
+        opacity: 0.51;
+      }
+
+      .cls-2 {
+        fill: #f1f2f2;
+      }
+
+      .cls-3, .cls-9 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-10, .cls-5 {
+        fill: none;
+      }
+
+      .cls-5, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-5, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #2bc7f4;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        stroke: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-settings-8</title>
+  <g id="ICONS">
+    <rect class="cls-1" y="53" width="400" height="50"/>
+    <rect class="cls-2" y="60" width="400" height="6"/>
+    <rect class="cls-2" y="89" width="400" height="6"/>
+    <rect class="cls-2" y="74" width="400" height="6"/>
+    <g>
+      <path class="cls-3" d="M185.19,25H117.81A4.89,4.89,0,0,0,113,29.93v82.14a4.89,4.89,0,0,0,4.81,4.93h67.38a4.89,4.89,0,0,0,4.81-4.93V29.93A4.89,4.89,0,0,0,185.19,25Z"/>
+      <path class="cls-4" d="M190,29.29V43H113V29.29A4.2,4.2,0,0,1,117.1,25H185.9A4.2,4.2,0,0,1,190,29.29Z"/>
+      <path class="cls-5" d="M185.19,25H117.81A4.89,4.89,0,0,0,113,29.93v82.14a4.89,4.89,0,0,0,4.81,4.93h67.38a4.89,4.89,0,0,0,4.81-4.93V29.93A4.89,4.89,0,0,0,185.19,25Z"/>
+      <rect class="cls-3" x="127" y="24" width="49" height="12"/>
+      <path class="cls-6" d="M165.36,24a15.26,15.26,0,0,0-1.07-5.69,13.93,13.93,0,0,0-7.38-7.38,14,14,0,0,0-10.75,0,14.35,14.35,0,0,0-4.41,3,14.06,14.06,0,0,0-3,4.41A15.26,15.26,0,0,0,137.71,24h-8.64V34H174V24Zm-13.82-.13a4.5,4.5,0,1,1,4.32-4.5A4.41,4.41,0,0,1,151.54,23.87Z"/>
+      <polyline class="cls-5" points="122.1 60.98 131.6 70.48 153.2 48.88"/>
+      <polyline class="cls-5" points="122.1 88.62 131.6 98.13 153.2 76.53"/>
+      <line class="cls-5" x1="154" y1="63" x2="182" y2="63"/>
+      <line class="cls-5" x1="154" y1="92" x2="182" y2="92"/>
+    </g>
+    <path class="cls-7" d="M220.6,76H201.4a2.39,2.39,0,0,0-2.4,2.36v8.27A2.39,2.39,0,0,0,201.4,89H201V78h20V89h-.4a2.39,2.39,0,0,0,2.4-2.36V78.36A2.39,2.39,0,0,0,220.6,76Z"/>
+    <path class="cls-3" d="M236.36,85H185.64A5.75,5.75,0,0,0,180,90.84v29.43a1.71,1.71,0,0,0,1.7,1.73H240.3a1.63,1.63,0,0,0,.88-.22,1.82,1.82,0,0,0,.81-1.51V90.84A5.75,5.75,0,0,0,236.36,85Z"/>
+    <rect class="cls-4" x="180" y="114" width="62" height="8"/>
+    <path class="cls-5" d="M236.36,85H185.64A5.75,5.75,0,0,0,180,90.84v29.43a1.71,1.71,0,0,0,1.7,1.73H240.3a1.63,1.63,0,0,0,.88-.22,1.82,1.82,0,0,0,.81-1.51V90.84A5.75,5.75,0,0,0,236.36,85Z"/>
+    <rect class="cls-8" x="181" y="101" width="60" height="5"/>
+    <rect class="cls-9" x="192" y="97" width="8" height="13.91" rx="2" ry="2"/>
+    <line class="cls-9" x1="196" y1="100" x2="196" y2="108"/>
+    <rect class="cls-9" x="222" y="97" width="8" height="13.91" rx="2" ry="2"/>
+    <line class="cls-9" x1="226" y1="100" x2="226" y2="108"/>
+    <g>
+      <path class="cls-8" d="M228.75,66.93l.39-3.06c.22-1.15.56-1.57,1.31-1.66l1.61-.75a1.9,1.9,0,0,1,2.1.29l2.34,2.17a1.2,1.2,0,0,0,1.49-.17L239.66,62a1.45,1.45,0,0,0,.2-1.53l-2.15-2.39a1.68,1.68,0,0,1-.06-2,16.77,16.77,0,0,1,.73-1.78c.11-.6.45-1,1.56-1.13l3.18-.19a1.2,1.2,0,0,0,.82-1L244,49.3a1.2,1.2,0,0,0-.87-1l-3.07-.4c-1.32,0-1.63-.55-1.83-1.1-.42-1-1.43-2.36-.24-3.56l2-2.49a1.65,1.65,0,0,0,.19-1.54l-1.95-1.84a1.46,1.46,0,0,0-1.54-.19l-2.39,2.15a2,2,0,0,1-2.24.27c-.42-.31-2.42-1.21-2.54-2.32l-.56-3.14v0a.92.92,0,0,0-.83-1L225.46,33a1.2,1.2,0,0,0-1,.87l-.14,3.2c-.08.76-1.5,1.9-1.5,1.9-2,1.17-3,.74-3.57.22L216.91,37a1.2,1.2,0,0,0-1.49.17l-1.9,1.55a1.35,1.35,0,0,0,0,1.69l2,2.22a3,3,0,0,1,.33,2.23c-.31.41-1.68,2.74-2.5,2.73l-3,.35h-.07a.92.92,0,0,0-1,.88l-.06,2.65a1.49,1.49,0,0,0,1.08,1.19l2.85.23c1.29,0,2.37,2.93,2.37,2.93a1.52,1.52,0,0,1-.16,1.91l-1.93,2.48a1.25,1.25,0,0,0-.19,1.54l1.95,1.84a1.41,1.41,0,0,0,1.29.05l2.6-2a2.1,2.1,0,0,1,2-.42c2.45,1,2.72,1.7,2.69,2.5l.36,3a1.2,1.2,0,0,0,1.09,1.2l2.44-.1a1.2,1.2,0,0,0,1-.87m-8.59-16.51q0-.08,0-.16a6.37,6.37,0,0,1,6.64-6.09A6.29,6.29,0,0,1,233,50.4q0,.3,0,.6a6.12,6.12,0,0,1-6.4,5.82,6.59,6.59,0,0,1-6.42-6.4"/>
+      <path class="cls-3" d="M243.09,77.59l5.51.24a3.06,3.06,0,0,1,3.06,1.66c.64,2.08,1.64,5.13.74,6.12l-2.76,4.2a2,2,0,0,0,.09,2.72L253,95.05c.69.45,1,.55,1.65.07L257,93.25l2.1-1.7c1.84-1.6,8.56,1.43,8.74,2.71l.65,5.33a2,2,0,0,0,2.1,1.4l4-.38a2.44,2.44,0,0,0,1.89-1.76l-.15-5.39a2.8,2.8,0,0,1,2.1-2.65c.93-.57,4.54-2.31,6.1-1.26l4.31,3.2a2,2,0,0,0,2.17-.44L294,89a2,2,0,0,0,0-2.29l-3.5-3.84c-1.68-1.43-1.49-2.46-1.16-3.39.65-3.84,1.82-4.48,3.55-4.83l5.24-1.05A2.76,2.76,0,0,0,300,71.81l-.51-4.46a2.45,2.45,0,0,0-1.75-1.92l-5.41.16a3.29,3.29,0,0,1-3.16-2.08c-.19-.86-2.36-3.59-.74-5.74l2.68-4.63a.07.07,0,0,1,0,0,1.56,1.56,0,0,0,0-2.19l-3-2.63-.37-.32a2,2,0,0,0-2.26,0l-3.67,4c-.92.89-4,.8-4,.8-4.11-.11-4.64-2.29-4.82-3.6l-.61-5.26a2,2,0,0,0-2.1-1.4l-4.11-.07a2.27,2.27,0,0,0-1.83,2.17l.11,5a5,5,0,0,1-2,3.23c-.83.18-1.61.77-2.5,1a3,3,0,0,1-3.67-.16l-4.21-2.8s0-.06-.08-.08a1.56,1.56,0,0,0-2.19.08l-3,3.34a2.46,2.46,0,0,0,.1,2.69l3.39,3.4c1.62,1.44-.13,6.34-.13,6.34a2.54,2.54,0,0,1-2.28,2.26l-5.15,1.11c-1.36.25-2,1.31-1.92,1.76C241,71.66,240.89,77.2,243.09,77.59Zm22.34,3.47a10.17,10.17,0,0,1-2-1.43,10.77,10.77,0,0,1-1.26-14.94l0,0,.19-.19a10.81,10.81,0,0,1,15.11-.65s.08.06.09.09a10.27,10.27,0,0,1,1.07,14.41c-.2.26-.42.51-.64.75A10.41,10.41,0,0,1,265.43,81.05Z"/>
+      <path class="cls-4" d="M243.09,77.59l5.51.24a3.06,3.06,0,0,1,3.06,1.66c.64,2.08,1.64,5.13.74,6.12l-2.76,4.2a2,2,0,0,0,.09,2.72L253,95.05c.69.45,1,.55,1.65.07L257,93.25l8.47-12.2a10.17,10.17,0,0,1-2-1.43,10.77,10.77,0,0,1-1.26-14.94l0,0,.19-.19a10.81,10.81,0,0,1,15.11-.65s.08.06.09.09l10.68-15.63-.37-.32a2,2,0,0,0-2.26,0l-3.67,4c-.92.89-4,.8-4,.8-4.11-.11-4.64-2.29-4.82-3.6l-.61-5.26a2,2,0,0,0-2.1-1.4l-4.11-.07a2.27,2.27,0,0,0-1.83,2.17l.11,5a5,5,0,0,1-2,3.23c-.83.18-1.61.77-2.5,1a3,3,0,0,1-3.67-.16l-4.21-2.8s0-.06-.08-.08a1.56,1.56,0,0,0-2.19.08l-3,3.34a2.46,2.46,0,0,0,.1,2.69l3.39,3.4c1.62,1.44-.13,6.34-.13,6.34a2.54,2.54,0,0,1-2.28,2.26l-5.15,1.11c-1.36.25-2,1.31-1.92,1.76C241,71.66,240.89,77.2,243.09,77.59Z"/>
+      <path class="cls-10" d="M254.61,95.12c-.68.47-1,.39-1.65-.08l-3.24-2.52a2,2,0,0,1-.1-2.72l2.76-4.2c.91-1-.09-4.05-.73-6.12a3,3,0,0,0-3.06-1.66l-5.51-.24c-2.2-.38-2.11-5.94-2.11-5.94-.1-.44.55-1.51,1.91-1.76l5.16-1.09c1.2-.13,4-7.17,2.41-8.62l-3.41-3.39a2.5,2.5,0,0,1-.1-2.7l3-3.33a1.55,1.55,0,0,1,2.19-.09l.08.08,4.21,2.79c1,.89,7.94-2.73,8.16-4l-.11-5a2.27,2.27,0,0,1,1.83-2.18l4.11.07a2,2,0,0,1,2.1,1.39l.61,5.29c.17,1.3.71,3.46,4.82,3.59,0,0,3.06.08,4-.81l3.66-4a2,2,0,0,1,2.27,0l3.33,3a1.55,1.55,0,0,1,0,2.19l0,0-2.69,4.63c-1.62,2.15.54,4.89.75,5.74a3.3,3.3,0,0,0,3.16,2.08l5.4-.16a2.46,2.46,0,0,1,1.76,1.91l.5,4.47a2.78,2.78,0,0,1-1.91,1.76l-5.24,1.06c-1.74.35-2.91,1-3.55,4.83-.34.93-.52,2,1.15,3.4l3.5,3.84A2,2,0,0,1,294,89l-3,3.33a2,2,0,0,1-2.18.44l-4.29-3.2c-1.57-1-8.18,2.66-8.21,3.91l.16,5.4a2.44,2.44,0,0,1-1.91,1.75l-4,.37a2,2,0,0,1-2.1-1.39l-.64-5.32c-.18-1.28-6.9-4.32-8.74-2.71Z"/>
+      <circle class="cls-10" cx="270.42" cy="71.75" r="10.65" transform="translate(-7.56 40.12) rotate(-8.37)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-technical-support-4.svg b/bcs/images/bcs-partner-advanced-management-technical-support-4.svg
new file mode 100644
index 0000000000..00fe5333f8
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-technical-support-4.svg
@@ -0,0 +1,88 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-1, .cls-11, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-1 {
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-1, .cls-11, .cls-5 {
+        stroke-width: 2px;
+      }
+
+      .cls-10, .cls-2 {
+        fill: #aae9fb;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-11, .cls-5, .cls-6 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #2bc7f4;
+      }
+
+      .cls-11, .cls-5, .cls-6, .cls-9 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-6 {
+        stroke-width: 3px;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-8 {
+        fill: #3a96dd;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #80def9;
+        stroke: #aae9fb;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-technical-support-4</title>
+  <path class="cls-1" d="M170.6,47.47V47a20,20,0,0,0-.65-5,18,18,0,0,0-29.54-12.77C136,23.73,130.46,21,123,21c-13.15,0-23.08,11.48-23.3,24.41,0,.89.22,1.56.22,2.45C93,51.21,89,57,89,64.36c0,10.52,8.27,18.94,19.23,19.56,1,7.3,7.55,14.08,18.77,14.08,9.46,0,15.1.76,22-7a23.25,23.25,0,0,0,11,3c13.25,0,24-11.75,24-25A24,24,0,0,0,170.6,47.47Z"/>
+  <path class="cls-2" d="M260,62.7a40,40,0,0,0-79.18-1.27A27,27,0,0,0,163.35,55,27.36,27.36,0,0,0,137,75.46a23.6,23.6,0,0,0-5.67-.71,24.13,24.13,0,0,0,0,48.25H265.59c13.62-2.79,23.87-15.57,23.87-30.16A30,30,0,0,0,260,62.7Z"/>
+  <circle class="cls-3" cx="218.34" cy="70.2" r="43.2"/>
+  <path class="cls-4" d="M262,70.2c0,23.86-19.7,43.2-44,43.2V27C242.3,27,262,46.34,262,70.2Z"/>
+  <circle class="cls-5" cx="218.34" cy="70.2" r="43.2"/>
+  <g>
+    <path class="cls-6" d="M196.41,65.45V63.11a21.11,21.11,0,1,1,42.21,0v2.35"/>
+    <path class="cls-7" d="M229,63.28V82h8.1c2.27-.78,4.86-4,4.86-6.41V63.28Z"/>
+    <path class="cls-7" d="M206,64V82.72h-8.1c-2.27-.78-4.86-4-4.86-6.41V64Z"/>
+    <path class="cls-6" d="M200.32,81.09s-1.56,17.2,12.51,15.63"/>
+    <rect class="cls-7" x="212" y="91" width="16" height="10" rx="3" ry="3"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-8" points="148.23 105.66 168.58 86 159 86 159 37 138 37 138 86 128 86 148.23 105.66 148.23 105.66 148.23 105.66"/>
+      <polygon class="cls-9" points="141.5 87.38 141.5 87.38 141.5 37 141.5 56.38 141.5 87.38 141.5 87.38"/>
+      <polygon class="cls-9" points="148.5 98.14 148.5 98.14 148.5 37 148.5 67.14 148.5 98.14 148.5 98.14"/>
+      <polygon class="cls-9" points="155.5 89.38 155.5 89.38 155.5 37 155.5 56.38 155.5 89.38 155.5 89.38"/>
+      <polygon class="cls-10" points="141.5 90 145 86 138 86 141.5 90"/>
+      <polygon class="cls-10" points="155.5 93 160 87 151 87 155.5 93"/>
+    </g>
+    <polygon class="cls-10" points="148.5 102 153 97 144 97 148.5 102"/>
+  </g>
+  <path class="cls-11" d="M174,94v16a1.9,1.9,0,0,1-1.77,2H123.77a1.9,1.9,0,0,1-1.77-2V94"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg b/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg
new file mode 100644
index 0000000000..d70739d1c2
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-troubleshooting-3.svg
@@ -0,0 +1,78 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2 {
+        fill: #adbdca;
+      }
+
+      .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5, .cls-9 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-5, .cls-8 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-5, .cls-8, .cls-9 {
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #ffb900;
+      }
+
+      .cls-7 {
+        fill: #ffd055;
+      }
+
+      .cls-8 {
+        fill: #2bc7f4;
+        stroke: #00bcf2;
+      }
+
+      .cls-9 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-troubleshooting-3</title>
+  <g>
+    <polygon class="cls-1" points="235.5 128 118.5 128 125.82 120 228.65 120 235.5 128"/>
+    <polygon class="cls-2" points="224.5 126 129.5 126 132.84 122 221.26 122 224.5 126"/>
+    <polygon class="cls-1" points="203 108 151 108 145 115 209 115 203 108"/>
+    <polygon class="cls-1" points="180.5 112.5 173.5 112.5 174.9 98.5 179.1 98.5 180.5 112.5"/>
+    <rect class="cls-3" x="101" y="19" width="151" height="82" rx="4" ry="4"/>
+    <path class="cls-4" d="M252,23V35H101V23a4,4,0,0,1,4-4H248A4,4,0,0,1,252,23Z"/>
+    <rect class="cls-5" x="101" y="19" width="151" height="82" rx="4" ry="4" transform="translate(353 120) rotate(180)"/>
+  </g>
+  <g>
+    <polygon class="cls-6" points="206 88 146 88 176 34 206 88"/>
+    <polygon class="cls-7" points="206 88 176 88 176 34 206 88"/>
+    <polygon class="cls-1" points="175.13 75 178.23 75 179.26 48 174.1 48 175.13 75"/>
+    <circle class="cls-1" cx="176.68" cy="79.6" r="3.5"/>
+  </g>
+  <path class="cls-1" d="M290.48,73.74,257.26,107l-7.78,7.78-5.06,5a4,4,0,0,1-5.66,0l-4.36-4.36a4,4,0,0,1,0-5.66l5.06-5,7.78-7.78,33.22-33.23a4,4,0,0,1,5.66,0l4.36,4.36A4,4,0,0,1,290.48,73.74Z"/>
+  <path class="cls-3" d="M266.43,51.25c0,.66,0,1.31.05,1.95a37,37,0,0,0,74,0c0-.64.05-1.29.05-1.93a37,37,0,0,0-74.07,0Z"/>
+  <path class="cls-4" d="M266.43,51.25c0,.66,0,1.31.05,1.95h74c0-.64.05-1.29.05-1.93a37,37,0,0,0-74.07,0Z"/>
+  <path class="cls-5" d="M303.48,14.23a37,37,0,1,0,37,37A37.08,37.08,0,0,0,303.48,14.23Z"/>
+  <circle class="cls-8" cx="303.3" cy="51.63" r="26.93"/>
+  <polyline class="cls-9" points="284.87 53.05 299.05 67.22 323.85 42.42"/>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-windows10-2.svg b/bcs/images/bcs-partner-advanced-management-windows10-2.svg
new file mode 100644
index 0000000000..dbfef70e2d
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-windows10-2.svg
@@ -0,0 +1,59 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-2, .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #00bcf2;
+      }
+
+      .cls-1, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #556a8a;
+      }
+
+      .cls-6 {
+        opacity: 0.16;
+      }
+
+      .cls-7 {
+        fill: #0078d7;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-windows10-2</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M175.26,40.11v-.55a22,22,0,0,0-.71-5.46,19.77,19.77,0,0,0-32.5-14C137.24,14,131.11,11,122.9,11c-14.47,0-25.38,12.63-25.63,26.85,0,1,.25,1.72.25,2.7-7.6,3.68-12,10.05-12,18.15,0,11.57,9.1,20.84,21.16,21.51,1.11,8,8.31,15.49,20.64,15.49,10.4,0,16.61.84,24.2-7.7a25.57,25.57,0,0,0,12.1,3.3c14.58,0,26.4-12.92,26.4-27.5A26.4,26.4,0,0,0,175.26,40.11Z"/>
+    <path class="cls-2" d="M295,36v76a2,2,0,0,1-2,2H175a2,2,0,0,1-2-2V36a2,2,0,0,1,2-2H293A2,2,0,0,1,295,36Z"/>
+    <path class="cls-3" d="M188,35v79H175a2,2,0,0,1-1-.29V35Z"/>
+    <path class="cls-3" d="M281,35v79h13a2,2,0,0,0,1-.29V35Z"/>
+    <rect class="cls-4" x="173.04" y="34" width="122" height="80" rx="2" ry="2"/>
+    <g>
+      <ellipse class="cls-5" cx="124.5" cy="29.46" rx="10" ry="12.46"/>
+      <path class="cls-5" d="M107.5,101.43V140h11.09c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L158,52.64,142.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L107,47.6A8.84,8.84,0,0,0,101.48,52a11.43,11.43,0,0,0-1.28,4.42c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,107.5,101.43Z"/>
+      <path class="cls-6" d="M178.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L148.5,99l-47-47A8.84,8.84,0,0,1,107,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L158,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+    </g>
+    <rect class="cls-5" x="167" y="31" width="135" height="5"/>
+    <g>
+      <polygon class="cls-7" points="229 73 229 54.3 209 56.79 209 73 229 73"/>
+      <polygon class="cls-7" points="231 73 256 73 256 50.74 231 54.01 231 73"/>
+      <polygon class="cls-7" points="231 75 231 93.68 256 97.11 256 75 231 75"/>
+      <polygon class="cls-7" points="229 75 209 75 209 90.67 229 93.38 229 75"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg b/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg
new file mode 100644
index 0000000000..5e772085f1
--- /dev/null
+++ b/bcs/images/bcs-partner-advanced-management-windows10pc-3.svg
@@ -0,0 +1,96 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #aae9fb;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-10, .cls-11, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-13, .cls-6 {
+        fill: none;
+      }
+
+      .cls-11, .cls-6 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+      }
+
+      .cls-11, .cls-13, .cls-6 {
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #59b4d9;
+      }
+
+      .cls-8 {
+        opacity: 0.5;
+      }
+
+      .cls-10, .cls-8 {
+        isolation: isolate;
+      }
+
+      .cls-9 {
+        fill: #b8d432;
+      }
+
+      .cls-10 {
+        opacity: 0.1;
+      }
+
+      .cls-12 {
+        fill: #9273b6;
+      }
+
+      .cls-13 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        fill-rule: evenodd;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-advanced-management-windows10pc-3</title>
+  <rect class="cls-1" x="27.5" y="26" width="345" height="14"/>
+  <rect class="cls-1" x="27.5" y="53" width="345" height="14"/>
+  <rect class="cls-1" x="27.5" y="80" width="345" height="14"/>
+  <polygon class="cls-2" points="244.75 127 127.75 127 135.07 119 237.9 119 244.75 127"/>
+  <polygon class="cls-3" points="233.75 125 138.75 125 142.09 121 230.51 121 233.75 125"/>
+  <polygon class="cls-2" points="211.75 108.5 159.75 108.5 153.75 114.5 217.75 114.5 211.75 108.5"/>
+  <polygon class="cls-2" points="189.25 112 182.25 112 183.65 98 187.85 98 189.25 112"/>
+  <rect class="cls-4" x="110.75" y="18" width="151" height="82" rx="4" ry="4"/>
+  <path class="cls-5" d="M261.25,22V34h-151V22a4,4,0,0,1,4-4h143A4,4,0,0,1,261.25,22Z"/>
+  <rect class="cls-6" x="110" y="18" width="151" height="82" rx="4" ry="4" transform="translate(371 118) rotate(180)"/>
+  <g>
+    <path class="cls-7" d="M184,92a5.49,5.49,0,0,1-3.91-1.62L155.62,65.91a5.53,5.53,0,0,1,0-7.83l24.47-24.47a5.53,5.53,0,0,1,7.83,0l24.46,24.47a5.53,5.53,0,0,1,0,7.83L187.91,90.38A5.49,5.49,0,0,1,184,92"/>
+    <path class="cls-4" d="M200.34,57.31a4.68,4.68,0,0,0-3.92,7.26l-9.29,9.29a5.46,5.46,0,0,0-.79-.45V49.71a4.69,4.69,0,1,0-4.68,0V73.42a5.38,5.38,0,0,0-.76.42l-9.3-9.3a4.82,4.82,0,1,0-2.41,1.88L179,76.2a5.46,5.46,0,1,0,10.06,0l9.81-9.81a4.64,4.64,0,0,0,1.49.26,4.69,4.69,0,0,0,0-9.38Z"/>
+    <rect class="cls-8" x="191.21" y="41.87" width="3.03" height="24.81" transform="translate(18.08 152.2) rotate(-45.01)"/>
+    <rect class="cls-8" x="162.89" y="52.78" width="24.81" height="3.03" transform="translate(12.95 139.86) rotate(-45)"/>
+    <path class="cls-9" d="M187.2,78.34a3.25,3.25,0,1,1-3.25-3.25,3.25,3.25,0,0,1,3.25,3.25"/>
+    <path class="cls-9" d="M186.61,45.67A2.61,2.61,0,1,1,184,43.06a2.61,2.61,0,0,1,2.61,2.61"/>
+    <path class="cls-9" d="M170.28,62a2.61,2.61,0,1,1-2.61-2.61A2.61,2.61,0,0,1,170.28,62"/>
+    <path class="cls-9" d="M202.95,62a2.61,2.61,0,1,1-2.61-2.61A2.61,2.61,0,0,1,202.95,62"/>
+    <path class="cls-10" d="M187.91,33.62a5.53,5.53,0,0,0-7.83,0L155.62,58.09a5.53,5.53,0,0,0,0,7.83l13.85,13.85,26.06-38.53Z"/>
+  </g>
+  <g>
+    <path class="cls-11" d="M232.11,91.63l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38a1.17,1.17,0,0,0-.66,1.59L233.8,102a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49l2.89-1.26a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87L290,92a1.42,1.42,0,0,0,1-1.28V87.83a1.36,1.36,0,0,0-.93-1.29L285.42,86a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41l2.75-3.66a1.48,1.48,0,0,0-.16-1.44L281.23,67a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28L271,60.82a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L264,60.14a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49L248.32,62a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0L239,68.63l-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L232.68,79a1.63,1.63,0,0,0,.47,1.45l4,2.42a7.93,7.93,0,0,0-.51,2.72l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,232.11,91.63Z"/>
+    <path class="cls-12" d="M247.16,83.3A15,15,0,1,1,246,89.15,14.82,14.82,0,0,1,247.16,83.3Z"/>
+    <polyline class="cls-13" points="250.24 89.26 257.99 97.01 272.24 82.76"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-get-started-1.svg b/bcs/images/bcs-partner-get-started-1.svg
new file mode 100644
index 0000000000..3fda6d92c6
--- /dev/null
+++ b/bcs/images/bcs-partner-get-started-1.svg
@@ -0,0 +1,116 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-10, .cls-2, .cls-6 {
+        fill: none;
+      }
+
+      .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke: #556a8a;
+      }
+
+      .cls-12, .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-10, .cls-12, .cls-2, .cls-6, .cls-7, .cls-8 {
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-12, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #bad80a;
+      }
+
+      .cls-15, .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-9 {
+        fill: #ffc52b;
+      }
+
+      .cls-10 {
+        stroke: #fff;
+        stroke-linecap: round;
+        stroke-linejoin: round;
+        fill-rule: evenodd;
+      }
+
+      .cls-11 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        stroke: #00bcf2;
+      }
+
+      .cls-13 {
+        fill: #ff9f2b;
+      }
+
+      .cls-14 {
+        fill: #ff8c00;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-get-started-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M264.1,55.27A39.37,39.37,0,0,0,186.39,54a26.79,26.79,0,0,0-43,13.62,23.42,23.42,0,1,0-5.56,46.16H269.57C282.94,111.1,293,98.7,293,84.54A29.27,29.27,0,0,0,264.1,55.27Z"/>
+    <g>
+      <polyline class="cls-2" points="136 96.22 220.03 96 220 51.82 269 51.82 269 95 337.83 95"/>
+      <polygon class="cls-3" points="331.2 103.18 329.84 101.72 337.06 95 329.84 88.29 331.2 86.82 340 95 331.2 103.18"/>
+    </g>
+    <g>
+      <polygon class="cls-4" points="198.2 77 235 77 228.6 97 203.18 97 198.2 77"/>
+      <polygon class="cls-5" points="198.2 77 235 77 232.6 84 199.8 84 198.2 77"/>
+      <polyline class="cls-6" points="198.2 77 235 77 228.92 97 203.07 97 195.46 69 188 69"/>
+      <polyline class="cls-6" points="201.63 91.73 204.98 103 231 103"/>
+      <circle class="cls-7" cx="210" cy="107" r="4"/>
+      <circle class="cls-7" cx="224" cy="107" r="4"/>
+    </g>
+    <g>
+      <path class="cls-8" d="M239.89,51.39l3.58.54a13.85,13.85,0,0,0,.37,2.43l-3,1.9a.94.94,0,0,0-.53,1.27l.89,2.18a.81.81,0,0,0,1.14.39l3.59-.75,1.14,1.94L245,64.09a1,1,0,0,0,0,1.28l1.78,1.81a1.16,1.16,0,0,0,1.28,0l2.82-2c.64.38,1.41.9,2,1.29L252.18,70a.88.88,0,0,0,.5,1l2.18.9a.82.82,0,0,0,1.16-.37l1.94-3.2a7.48,7.48,0,0,0,2.3.54l.49,3.58a.88.88,0,0,0,.89.9l2.43-.12c.38.13.78-.26.9-.63l.67-3.71a7.72,7.72,0,0,0,2.3-.49l1.9,3.2a1.27,1.27,0,0,0,1.14.39l2.31-1a.87.87,0,0,0,.52-1l-.88-3.47a4.53,4.53,0,0,0,.5-.34l.32-.24c.38-.28.75-.59,1.12-.82l2.93,2.19a.82.82,0,0,0,1.15-.12L280,66.18l.6-.6,0,0a.83.83,0,0,0,.11-1.13l-2.15-3A10.5,10.5,0,0,0,280,59.31l3.57,1a1.13,1.13,0,0,0,1.17-.62l.9-2.18a1.11,1.11,0,0,0-.5-1.28l-3.06-1.82c.26-.76.26-1.54.53-2.3l3.58-.49a1.13,1.13,0,0,0,.78-1v-2.3a1.09,1.09,0,0,0-.74-1l-3.72-.41a14.61,14.61,0,0,0-.49-2.57l3.21-1.9a.81.81,0,0,0,.4-1.15l-.89-2.18a1.19,1.19,0,0,0-1.14-.65l-3.6,1c-.38-.64-.75-1.29-1.14-1.93l2.2-2.93a1.18,1.18,0,0,0-.13-1.15l-1.78-1.81a1,1,0,0,0-1.14-.14l-3,2.17c-.64-.4-1.4-.91-2-1.3l.78-3.58a.86.86,0,0,0-.5-1l-2.3-1a1.1,1.1,0,0,0-1.16.38l-1.81,3.07c-.77,0-1.54-.26-2.3-.28l-.35-3.71a1.12,1.12,0,0,0-1-.77L262,25.29a1.5,1.5,0,0,0-.9.88l-.54,3.59c-.9.12-1.66.38-2.56.49l-1.77-3.08a.89.89,0,0,0-1.15-.39l-2.18.89a1,1,0,0,0-.66,1.14l.88,3.46a8.27,8.27,0,0,0-1.93,1.4l-2.94-2.2a.86.86,0,0,0-1.29,0L245.39,33l-.14.13a.87.87,0,0,0,0,1.28l2.15,3a5.73,5.73,0,0,0-1.1,1.48l-.1.18c-.08.16-.16.33-.23.5l-3.58-1a.87.87,0,0,0-1,.5l-1,2.3a1.3,1.3,0,0,0,.38,1.16l3.19,1.94a6.34,6.34,0,0,0-.41,2.18l-3.72.61c-.38.14-.77.51-.77.78l0,2.56A.86.86,0,0,0,239.89,51.39Z"/>
+      <circle class="cls-9" cx="263" cy="49.35" r="12"/>
+      <polyline class="cls-10" points="254.5 49.82 260.5 55.82 270.5 44.82"/>
+    </g>
+    <circle class="cls-11" cx="310" cy="95" r="6"/>
+    <circle class="cls-11" cx="182" cy="95" r="6"/>
+    <circle class="cls-11" cx="220" cy="53" r="6"/>
+    <path class="cls-12" d="M150.51,60.83v-.6a24.19,24.19,0,0,0-.78-6A21.75,21.75,0,0,0,114,38.78c-5.29-6.66-12-10-21.06-10C77,28.8,65,42.69,64.72,58.34c0,1.08.27,1.89.27,3-8.36,4-13.22,11.06-13.22,20,0,12.73,10,22.92,23.27,23.67,1.22,8.83,9.14,17,22.71,17,11.45,0,18.27.93,26.62-8.47a28.13,28.13,0,0,0,13.31,3.63c16,0,29-14.21,29-30.25A29,29,0,0,0,150.51,60.83Z"/>
+    <g>
+      <g>
+        <g>
+          <path class="cls-13" d="M96.73,96.37c-.89.29-1.84.56-2.83.83C99.84,72.54,111.55,77,111.55,77l1.91,1.81.07.23C113.94,80.68,115.53,90.41,96.73,96.37Z"/>
+          <path class="cls-14" d="M96.73,96.37c5.81-20.31,15.79-17.66,16.8-17.33C113.94,80.68,115.53,90.41,96.73,96.37Z"/>
+          <polygon class="cls-3" points="114.46 83.7 106.16 75.4 112.8 73.74 115.91 76.87 114.46 83.7"/>
+        </g>
+        <polygon class="cls-3" points="116.11 65.31 93.7 64.48 90.38 61.16 109.47 52.03 117.45 55.03 116.11 65.31"/>
+        <polygon class="cls-3" points="125.6 72.08 126.43 94.5 129.75 97.82 138.88 78.72 135.89 70.74 125.6 72.08"/>
+        <g>
+          <path class="cls-4" d="M121.13,82h-.25l-.2-.18L108.85,69.45l0-.29a49,49,0,0,1,13.44-23.81C133.08,34.67,158.12,30.17,159.18,30l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C133.91,78.93,122.12,82,121.13,82Z"/>
+          <path class="cls-15" d="M157.89,38.52c-2,8.35-6.29,22.81-13.62,30.17-10.82,10.9-22.6,13.16-23.21,13.28l-6.6-6.6s2.1-12.12,13.29-23.25C135.1,44.81,149.53,40.5,157.89,38.52Z"/>
+          <path class="cls-11" d="M138,36.37l1.07-.39a122.11,122.11,0,0,1,19.75-5.32l1-.17-.17,1a122.35,122.35,0,0,1-5.32,19.75l-.39,1.07Z"/>
+          <path class="cls-6" d="M121.13,82h-.25l-.2-.18L108.85,69.45l0-.29a49,49,0,0,1,13.44-23.81C133.08,34.67,158.12,30.17,159.18,30l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C133.91,78.93,122.12,82,121.13,82Z"/>
+        </g>
+      </g>
+      <circle class="cls-8" cx="132.81" cy="56.56" r="6"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-identity-manager.svg b/bcs/images/bcs-partner-identity-manager.svg
new file mode 100644
index 0000000000..c75db3c46f
--- /dev/null
+++ b/bcs/images/bcs-partner-identity-manager.svg
@@ -0,0 +1,91 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-12 {
+        fill: #80def9;
+      }
+
+      .cls-2, .cls-7, .cls-9 {
+        fill: none;
+      }
+
+      .cls-2 {
+        stroke: #00bcf2;
+        stroke-linecap: round;
+      }
+
+      .cls-12, .cls-2, .cls-4, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #00bcf2;
+      }
+
+      .cls-10, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-12, .cls-4, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #556a8a;
+      }
+
+      .cls-11 {
+        fill: #f1f2f2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-identity-manager</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M327.31,58.4a36.36,36.36,0,0,0-71.78-1.14,24.75,24.75,0,0,0-39.75,12.58,21.63,21.63,0,1,0-5.14,42.64H332.36c12.35-2.51,21.64-14,21.64-27A27,27,0,0,0,327.31,58.4Z"/>
+    <g>
+      <line class="cls-2" x1="119" y1="62" x2="193" y2="62"/>
+      <polygon class="cls-3" points="186.24 70.18 184.87 68.72 192.09 62 184.87 55.29 186.24 53.82 195.03 62 186.24 70.18"/>
+    </g>
+    <g>
+      <rect class="cls-4" x="57" y="24" width="53" height="91"/>
+      <g>
+        <rect class="cls-5" x="83" y="25" width="26" height="89"/>
+        <rect class="cls-6" x="59" y="47" width="24" height="3"/>
+        <polygon class="cls-7" points="95 33 59 33 59 36 95 36 95 33 95 33"/>
+        <polyline class="cls-7" points="95 33 59 33 59 36 95 36 95 33"/>
+        <rect class="cls-6" x="59" y="40" width="24" height="3"/>
+        <rect class="cls-6" x="59" y="33" width="24" height="3"/>
+        <rect class="cls-8" x="83" y="33" width="28" height="3"/>
+        <rect class="cls-8" x="83" y="40" width="28" height="3"/>
+        <rect class="cls-8" x="83" y="47" width="28" height="3"/>
+      </g>
+      <rect class="cls-8" x="57" y="33" width="4" height="3"/>
+      <rect class="cls-8" x="57" y="40" width="4" height="3"/>
+      <rect class="cls-8" x="57" y="47" width="4" height="3"/>
+    </g>
+    <g>
+      <circle class="cls-4" cx="112.67" cy="83.6" r="12.08"/>
+      <path class="cls-4" d="M93.35,115A19.33,19.33,0,0,1,132,115Z"/>
+    </g>
+    <g>
+      <rect class="cls-9" x="268.73" y="41.87" width="27" height="36" rx="12" ry="12"/>
+      <path class="cls-10" d="M304.73,65.87v32a2,2,0,0,1-2,2H262.69a2,2,0,0,1-2-2v-32a2,2,0,0,1,2-2h40.09A2,2,0,0,1,304.73,65.87Z"/>
+      <path class="cls-5" d="M304.73,65.87v31l-33-33h31A2,2,0,0,1,304.73,65.87Z"/>
+      <path class="cls-9" d="M304.73,97.87a2,2,0,0,1-2,2H262.69a2,2,0,0,1-2-2v-32a2,2,0,0,1,2-2h40.09a2,2,0,0,1,2,2Z"/>
+    </g>
+    <g>
+      <path class="cls-11" d="M254.1,82.49a15.33,15.33,0,1,0-5.48,7.14v5h4.86v5.6h6.4v6.4h9.6V97.31Z"/>
+      <path class="cls-9" d="M254.1,82.49a15.33,15.33,0,1,0-5.48,7.14v5h4.86v5.6h6.4v6.4h9.6V97.31Z"/>
+      <circle class="cls-12" cx="235.73" cy="71.51" r="3.24"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-install-2.svg b/bcs/images/bcs-partner-install-2.svg
new file mode 100644
index 0000000000..e112e26bc1
--- /dev/null
+++ b/bcs/images/bcs-partner-install-2.svg
@@ -0,0 +1,90 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #556a8a;
+      }
+
+      .cls-2, .cls-5 {
+        fill: #fcfcfc;
+      }
+
+      .cls-3 {
+        fill: #e5e5e5;
+      }
+
+      .cls-4 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5 {
+        stroke: #556a8a;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        fill: #999;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-8 {
+        fill: #414042;
+      }
+
+      .cls-9 {
+        fill: #e4edf1;
+      }
+
+      .cls-10 {
+        fill: #fff;
+      }
+
+      .cls-11 {
+        fill: #ffb900;
+      }
+
+      .cls-12 {
+        fill: #ffc52b;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-install-2</title>
+  <g id="ICONS">
+    <g>
+      <g>
+        <polygon class="cls-1" points="219.53 111.62 213.84 111.62 214.79 98.33 218.58 98.33 219.53 111.62"/>
+        <polygon class="cls-1" points="240.49 109 192.56 109 187.03 112 246.03 112 240.49 109"/>
+      </g>
+      <path class="cls-2" d="M280.6,30.92V97.4H153V30.92A4,4,0,0,1,157,27H276.64A4,4,0,0,1,280.6,30.92Z"/>
+      <path class="cls-3" d="M280.6,30.92V46.8H153V30.92A4,4,0,0,1,157,27H276.64A4,4,0,0,1,280.6,30.92Z"/>
+      <path class="cls-4" d="M280,98V31.89A3.93,3.93,0,0,0,276.06,28H156.94A3.93,3.93,0,0,0,153,31.89V98Z"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="269" y="67" width="30" height="55" rx="4" ry="4"/>
+      <rect class="cls-3" x="272" y="74.99" width="23" height="40"/>
+      <path class="cls-6" d="M288.27,73h-7.54c-.4,0-.73-.45-.73-1s.33-1,.73-1h7.54c.4,0,.73.45.73,1S288.67,73,288.27,73Z"/>
+    </g>
+    <rect class="cls-1" x="197" y="83" width="36" height="2"/>
+    <polygon class="cls-1" points="232.44 56.59 216 73.04 216 35 214 35 214 73.04 197.86 56.59 196.53 58.02 215.26 76.9 233.91 58.02 232.44 56.59"/>
+    <path class="cls-7" d="M314.49,68.58a1.2,1.2,0,0,0,1.27.46l2.32-.75a1.2,1.2,0,0,0,.6-1.5l-.7-2.91c-.31-.74-.31-1.51,1.65-3.28a2.1,2.1,0,0,1,2-.31l3.13,1a1.41,1.41,0,0,0,1.2-.5l1.19-2.4a1.25,1.25,0,0,0-.71-1.37l-2.67-1.65a1.52,1.52,0,0,1-.81-1.73s0-3.09,1.2-3.58l2.59-1.21a1.49,1.49,0,0,0,.6-1.49l-1-2.46a.92.92,0,0,0-1.21-.49l-.06,0-2.92.71c-.76.29-2.86-1.42-3.29-1.7a3,3,0,0,1-.47-2.2l1.06-2.76a1.35,1.35,0,0,0-.58-1.59l-2.32-.79a1.2,1.2,0,0,0-1.46.36l-1.41,2.83c-.36.69-1.16,1.45-3.42,1,0,0-1.73-.57-2.07-1.26l-1.25-3a1.2,1.2,0,0,0-1.27-.46l-2.46,1a.92.92,0,0,0-.43,1.23v0l.57,3.14c.27,1.09-1.29,2.63-1.58,3.06a2,2,0,0,1-2.19.53l-3-1.18a1.46,1.46,0,0,0-1.37.71l-1.19,2.4a1.65,1.65,0,0,0,.71,1.37l2.72,1.65c1.54.71,1.05,2.32,1,3.42,0,.59-.1,1.2-1.33,1.67L294.5,56.1a1.2,1.2,0,0,0-.46,1.27l1,2.46a1.2,1.2,0,0,0,1.13.69l3-.93c1.09-.27,1.55,0,1.86.52a16.77,16.77,0,0,1,1.3,1.42,1.68,1.68,0,0,1,.64,1.91l-1.18,3a1.45,1.45,0,0,0,.71,1.36l2.17,1a1.2,1.2,0,0,0,1.46-.36l1.43-2.85a1.9,1.9,0,0,1,1.86-1l1.77.15c.73-.17,1.2.1,1.8,1.1l1.43,2.74m2.3-18.47A6.59,6.59,0,0,1,313,58.36a6.12,6.12,0,0,1-8-3.23q-.12-.27-.21-.56a6.29,6.29,0,0,1,3.65-8,6.37,6.37,0,0,1,8.34,3.4l.06.15"/>
+    <g>
+      <rect class="cls-5" x="75" y="44" width="92" height="68" rx="4" ry="4"/>
+      <path class="cls-8" d="M171,118H70.18A4,4,0,0,1,66,115H175S173.79,118,171,118Z"/>
+      <polygon class="cls-1" points="66.1 115 74.02 110 168 110 175 115 66.1 115"/>
+      <polygon class="cls-9" points="70 115 74.6 112 167.36 112 171 115 70 115"/>
+      <rect class="cls-7" x="81" y="51" width="80" height="53"/>
+      <polygon class="cls-10" points="116 75.9 116 62 101 64.61 101 75.9 116 75.9"/>
+      <polygon class="cls-10" points="118 76 136 76 136 59.64 118 62.03 118 76"/>
+      <polygon class="cls-10" points="118 78 118 91.85 136 94.35 136 78 118 78"/>
+      <polygon class="cls-10" points="116 78 101 78 101 89.45 116 91.48 116 78"/>
+    </g>
+    <g>
+      <path class="cls-11" d="M281.74,32.9,295.16,12H279.95L259.88,41.7H274L261,66.14,278.17,50.8l20.51-17.9Z"/>
+      <path class="cls-12" d="M281.74,32.9,295.16,12h-6.44L268.67,41.7H274L261,66.14,278.17,50.8l20.51-17.9Z"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-office-migration-1.svg b/bcs/images/bcs-partner-office-migration-1.svg
new file mode 100644
index 0000000000..4d3078c578
--- /dev/null
+++ b/bcs/images/bcs-partner-office-migration-1.svg
@@ -0,0 +1,67 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #d1d3d4;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #d83b01;
+      }
+
+      .cls-8 {
+        stroke: #00bcf2;
+        stroke-linecap: round;
+      }
+
+      .cls-9 {
+        fill: #00bcf2;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-identitiy-integration-1</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="83" y="63.13" width="233" height="4.87"/>
+      <rect class="cls-2" x="83" y="72.13" width="233" height="4.87"/>
+      <rect class="cls-1" x="83" y="81.13" width="233" height="4.87"/>
+      <polygon class="cls-3" points="222.61 123 177.39 123 172.17 128 227.83 128 222.61 123"/>
+      <polygon class="cls-3" points="203.05 123.94 196.95 123.94 198.17 107.75 201.83 107.75 203.05 123.94"/>
+      <rect class="cls-4" x="134" y="38" width="132" height="72" rx="4" ry="4" transform="translate(400 148) rotate(180)"/>
+      <path class="cls-5" d="M265,57V42.57C265,40,263.78,38,261.11,38H138.9a4.76,4.76,0,0,0-4.9,4.57V57Z"/>
+      <rect class="cls-6" x="134" y="38" width="132" height="72" rx="4" ry="4" transform="translate(400 148) rotate(180)"/>
+    </g>
+    <polygon class="cls-7" points="223 95 223 95.61 223 53.45 204.64 48.59 173.31 59.36 174.51 90.41 187 86.38 187 60.96 205 57.08 205 94.44 172.84 90.41 203 100.58 203 100.58 221.94 95.48 222.68 95 223 95"/>
+    <g>
+      <line class="cls-8" x1="138" y1="23" x2="262" y2="23"/>
+      <polygon class="cls-9" points="144.76 31.18 146.13 29.71 138.91 23 146.13 16.29 144.76 14.82 135.97 23 144.76 31.18"/>
+      <polygon class="cls-9" points="255.24 31.18 253.87 29.71 261.1 23 253.87 16.29 255.24 14.82 264.03 23 255.24 31.18"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-policies-set-device-config-1.svg b/bcs/images/bcs-partner-policies-set-device-config-1.svg
new file mode 100644
index 0000000000..78c1851ca6
--- /dev/null
+++ b/bcs/images/bcs-partner-policies-set-device-config-1.svg
@@ -0,0 +1,85 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-2 {
+        fill: #5b7484;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-10, .cls-11, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+      }
+
+      .cls-6 {
+        stroke: #51636b;
+      }
+
+      .cls-10, .cls-11, .cls-6, .cls-8, .cls-9 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-8, .cls-9 {
+        stroke: #556a8a;
+      }
+
+      .cls-9 {
+        fill: #55d2f6;
+      }
+
+      .cls-11 {
+        stroke: #2bc7f4;
+      }
+
+      .cls-12 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-policies-set-device-config-1</title>
+  <path class="cls-1" d="M288.1,67c-2.75-17.56-19.14-31-39-31-19.39,0-35.49,12.91-38.75,29.91a28.11,28.11,0,0,0-17.16-5.73c-12.39,0-22.79,7.75-25.86,18.28a25.29,25.29,0,0,0-5.56-.64c-12.94,0-23.43,9.66-23.43,21.59S148.87,121,161.81,121H293.57C306.94,118.5,317,107.07,317,94,317,79.23,304.1,67.24,288.1,67Z"/>
+  <polygon class="cls-2" points="228.38 110 133.62 110 139.54 103 222.84 103 228.38 110"/>
+  <polygon class="cls-3" points="219.47 108 142.53 108 145.23 105 216.85 105 219.47 108"/>
+  <polygon class="cls-2" points="201.31 95 159.88 95 155.09 100 206.09 100 201.31 95"/>
+  <polygon class="cls-2" points="183.43 98.5 177.76 98.5 178.89 87.16 182.3 87.16 183.43 98.5"/>
+  <rect class="cls-4" x="120" y="22" width="122" height="66" rx="4" ry="4"/>
+  <path class="cls-5" d="M242,26V38H120V26a4,4,0,0,1,4-4H238A4,4,0,0,1,242,26Z"/>
+  <rect class="cls-6" x="120" y="22" width="122" height="66" rx="4" ry="4" transform="translate(362 110) rotate(180)"/>
+  <g>
+    <polygon class="cls-7" points="177 58 177 42.62 161 44.68 161 58 177 58"/>
+    <polygon class="cls-7" points="179 58 200 58 200 40 179 42.7 179 58"/>
+    <polygon class="cls-7" points="179 60 179 75.17 200 78 200 60 179 60"/>
+    <polygon class="cls-7" points="177 60 161 60 161 72.68 177 74.92 177 60"/>
+  </g>
+  <g>
+    <path class="cls-4" d="M315,57.75a7.51,7.51,0,0,1-.61,3,7.76,7.76,0,0,1-4.13,4.12,7.43,7.43,0,0,1-3,.61L303,65v40.11c0,3-1.88,6.89-6,6.89H261V57.08A10.57,10.57,0,0,1,261,56a4.38,4.38,0,0,1,.31-1.22,7.15,7.15,0,0,1,.64-1.19,7.28,7.28,0,0,1,1-1.27,2.25,2.25,0,0,1,.24-.21,7.39,7.39,0,0,1,2.23-1.45,7.88,7.88,0,0,1,3-.61h38.75a7.6,7.6,0,0,1,3,.61,7.76,7.76,0,0,1,4.13,4.12A7.51,7.51,0,0,1,315,57.75Z"/>
+    <path class="cls-5" d="M315,57.75a7.51,7.51,0,0,1-.61,3,7.76,7.76,0,0,1-4.13,4.12,7.43,7.43,0,0,1-3,.61L303,65v1H261V57.08A10.57,10.57,0,0,1,261,56a4.38,4.38,0,0,1,.31-1.22,7.15,7.15,0,0,1,.64-1.19,7.28,7.28,0,0,1,1-1.27,2.25,2.25,0,0,1,.24-.21,7.39,7.39,0,0,1,2.23-1.45,7.88,7.88,0,0,1,3-.61h38.75a7.6,7.6,0,0,1,3,.61,7.76,7.76,0,0,1,4.13,4.12A7.51,7.51,0,0,1,315,57.75Z"/>
+    <path class="cls-8" d="M315,57.75a7.48,7.48,0,0,1-.61,3,7.62,7.62,0,0,1-1.66,2.46,7.82,7.82,0,0,1-2.47,1.66,7.38,7.38,0,0,1-3,.61L303,65v40.11c0,3-1.88,6.89-6,6.89h-7.88L261,104V57.75a15.22,15.22,0,0,1,.05-1.8,4.3,4.3,0,0,1,.31-1.22A7.73,7.73,0,0,1,263,52.27a7.82,7.82,0,0,1,2.47-1.66,7.54,7.54,0,0,1,3-.61h38.75a7.54,7.54,0,0,1,3,.61,7.82,7.82,0,0,1,2.47,1.66,7.73,7.73,0,0,1,1.66,2.46A7.49,7.49,0,0,1,315,57.75Z"/>
+    <path class="cls-7" d="M307.13,61.63a3.75,3.75,0,0,0,1.51-.3,3.94,3.94,0,0,0,2.06-2.06,3.94,3.94,0,0,0,0-3,3.94,3.94,0,0,0-2.06-2.06,3.94,3.94,0,0,0-3,0,3.94,3.94,0,0,0-2.06,2.06,3.75,3.75,0,0,0-.3,1.51L302.88,62Z"/>
+    <path class="cls-9" d="M294,112c-3-1-5-2.89-5-8,0-6,6-8,5.43-8H262a8,8,0,0,0,0,16h31.27"/>
+  </g>
+  <path class="cls-10" d="M82.45,77.45l4.47.67a17.31,17.31,0,0,0,.46,3l-3.69,2.38A1.17,1.17,0,0,0,83,85.13l1.11,2.73a1,1,0,0,0,1.43.49l4.49-.94,1.42,2.42-2.58,3.5a1.19,1.19,0,0,0,0,1.6l2.22,2.26a1.44,1.44,0,0,0,1.6,0l3.53-2.53c.8.48,1.76,1.12,2.55,1.61l-1,4.47a1.1,1.1,0,0,0,.62,1.29l2.72,1.13a1,1,0,0,0,1.45-.46l2.43-4a9.35,9.35,0,0,0,2.87.67l.61,4.48a1.1,1.1,0,0,0,1.11,1.13l3-.15c.48.16,1-.32,1.12-.79l.84-4.64a9.64,9.64,0,0,0,2.88-.61l2.38,4a1.59,1.59,0,0,0,1.43.49L124.2,102a1.09,1.09,0,0,0,.65-1.27l-1.1-4.34a5.66,5.66,0,0,0,.62-.42c.13-.09.27-.19.4-.3.47-.35.94-.74,1.4-1l3.66,2.74a1,1,0,0,0,1.44-.15l1.34-1.32.75-.75,0,0a1,1,0,0,0,.14-1.41l-2.69-3.7a13.13,13.13,0,0,0,1.78-2.71l4.46,1.3a1.42,1.42,0,0,0,1.46-.78l1.13-2.72a1.39,1.39,0,0,0-.62-1.6l-3.83-2.27c.33-1,.33-1.92.66-2.87l4.48-.61a1.42,1.42,0,0,0,1-1.28V73.65a1.36,1.36,0,0,0-.93-1.29l-4.65-.51a18.27,18.27,0,0,0-.61-3.21l4-2.37a1,1,0,0,0,.5-1.44l-1.11-2.72a1.49,1.49,0,0,0-1.43-.81l-4.5,1.25c-.47-.8-.94-1.61-1.42-2.41L134,56.48a1.48,1.48,0,0,0-.16-1.44l-2.22-2.26a1.2,1.2,0,0,0-1.43-.17l-3.7,2.71c-.8-.5-1.75-1.14-2.55-1.62l1-4.48a1.07,1.07,0,0,0-.62-1.28l-2.87-1.3a1.38,1.38,0,0,0-1.45.47l-2.26,3.84c-1,0-1.92-.33-2.88-.35L114.35,46a1.4,1.4,0,0,0-1.28-1l-3-.18a1.87,1.87,0,0,0-1.12,1.1l-.68,4.49c-1.12.15-2.08.47-3.2.61l-2.21-3.85a1.11,1.11,0,0,0-1.44-.49l-2.72,1.11a1.3,1.3,0,0,0-.82,1.43l1.1,4.33a10.34,10.34,0,0,0-2.41,1.75l-3.67-2.75a1.07,1.07,0,0,0-1.61,0l-1.92,1.9-.17.16a1.09,1.09,0,0,0,0,1.6l2.69,3.7a7.16,7.16,0,0,0-1.37,1.85l-.12.22c-.1.2-.2.41-.29.63l-4.47-1.3a1.09,1.09,0,0,0-1.28.62L83,64.81a1.63,1.63,0,0,0,.47,1.45l4,2.42A7.93,7.93,0,0,0,87,71.4l-4.65.76c-.47.17-1,.64-1,1l0,3.2A1.08,1.08,0,0,0,82.45,77.45Z"/>
+  <path class="cls-11" d="M97.5,69.12A15,15,0,1,1,96.34,75,14.82,14.82,0,0,1,97.5,69.12Z"/>
+  <path class="cls-7" d="M120.53,68.27l-2.83,2.83-2.4.42.28-2.55,2.83-2.83a5.11,5.11,0,0,0-5.09.85,4.24,4.24,0,0,0-.57,4.81l-9.69,9.69a1.44,1.44,0,0,0,.21,2.05,1.26,1.26,0,0,0,1.91.07l9.69-9.69a4.24,4.24,0,0,0,4.81-.57A5.11,5.11,0,0,0,120.53,68.27Z"/>
+  <path class="cls-12" d="M110.73,74.73,107,71l-.71-2.12-3.54-2.12-1.41,1.41,2.12,3.54,2.12.71,3.73,3.73a2,2,0,0,0,.51,1.92l6.36,6.36A2,2,0,0,0,119,81.61l-6.36-6.36A2,2,0,0,0,110.73,74.73Z"/>
+</svg>
diff --git a/bcs/images/bcs-partner-policies-view-policies-2.svg b/bcs/images/bcs-partner-policies-view-policies-2.svg
new file mode 100644
index 0000000000..a9864295ae
--- /dev/null
+++ b/bcs/images/bcs-partner-policies-view-policies-2.svg
@@ -0,0 +1,78 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #c6df33;
+      }
+
+      .cls-2, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-2 {
+        stroke: #00bcf2;
+      }
+
+      .cls-2, .cls-5, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-4 {
+        fill: #e5e5e5;
+      }
+
+      .cls-5 {
+        fill: none;
+      }
+
+      .cls-5, .cls-7 {
+        stroke: #556a8a;
+      }
+
+      .cls-6 {
+        fill: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #55d2f6;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-8, .cls-9 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #d1e55c;
+      }
+
+      .cls-10 {
+        fill: #2bc7f4;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-policies-view-policies-2</title>
+  <path class="cls-1" d="M192.94,46.5v-.45a18,18,0,0,0-.58-4.47A16.18,16.18,0,0,0,165.77,30.1c-3.94-5-8.95-7.42-15.67-7.42-11.84,0-20.77,10.33-21,22,0,.8.2,1.4.2,2.21-6.22,3-9.83,8.23-9.83,14.85,0,9.47,7.45,17,17.31,17.6.91,6.57,6.8,12.67,16.89,12.67,8.51,0,13.59.69,19.8-6.3a20.92,20.92,0,0,0,9.9,2.7c11.93,0,21.6-10.57,21.6-22.5A21.6,21.6,0,0,0,192.94,46.5Z"/>
+  <path class="cls-2" d="M254.1,62c-2.75-17.56-19.14-31-39-31-19.39,0-35.49,12.91-38.75,29.91a28.11,28.11,0,0,0-17.16-5.73c-12.39,0-22.79,7.75-25.86,18.28a25.29,25.29,0,0,0-5.56-.64c-12.94,0-23.43,9.66-23.43,21.59S114.87,116,127.81,116H259.57C272.94,113.5,283,102.07,283,89,283,74.23,270.1,62.24,254.1,62Z"/>
+  <g>
+    <path class="cls-3" d="M268.38,32.38a9.09,9.09,0,0,1-.73,3.64,9.22,9.22,0,0,1-2,3,9.41,9.41,0,0,1-3,2,8.84,8.84,0,0,1-3.62.74l-5.12-.61a1.15,1.15,0,0,0-.56.9V89.67c0,3.57-1.71,8.33-6.67,8.33h-9.48l-33.85-9.68V32.38a18.5,18.5,0,0,1,.06-2.18,5.23,5.23,0,0,1,.37-1.48,9.39,9.39,0,0,1,5-5,9,9,0,0,1,3.62-.74h46.64a9,9,0,0,1,3.62.74,9.39,9.39,0,0,1,5,5A9.1,9.1,0,0,1,268.38,32.38Z"/>
+    <path class="cls-4" d="M268.78,32.87a9.09,9.09,0,0,1-.74,3.65,9.39,9.39,0,0,1-5,5,9,9,0,0,1-3.64.74s-5.14-.29-5.14.3v.3H203.44V32.06a12.79,12.79,0,0,1,.06-1.37,5.3,5.3,0,0,1,.38-1.48,8.65,8.65,0,0,1,.77-1.44,8.81,8.81,0,0,1,1.23-1.54,2.72,2.72,0,0,1,.29-.25,9,9,0,0,1,2.7-1.75,9.54,9.54,0,0,1,3.64-.74h46.89a9.2,9.2,0,0,1,3.64.74,9.39,9.39,0,0,1,5,5A9.09,9.09,0,0,1,268.78,32.87Z"/>
+    <path class="cls-5" d="M268.38,32.38a9.09,9.09,0,0,1-.73,3.64,9.22,9.22,0,0,1-2,3,9.41,9.41,0,0,1-3,2,8.84,8.84,0,0,1-3.62.74l-5.12-.61a1.15,1.15,0,0,0-.56.9V89.67c0,3.57-1.71,8.33-6.67,8.33h-9.48l-33.85-9.68V32.38a18.5,18.5,0,0,1,.06-2.18,5.23,5.23,0,0,1,.37-1.48,9.39,9.39,0,0,1,5-5,9,9,0,0,1,3.62-.74h46.64a9,9,0,0,1,3.62.74,9.39,9.39,0,0,1,5,5A9.1,9.1,0,0,1,268.38,32.38Z"/>
+    <path class="cls-6" d="M259.26,36.55a4.54,4.54,0,0,0,1.83-.37,4.76,4.76,0,0,0,2.49-2.49,4.76,4.76,0,0,0,0-3.66,4.76,4.76,0,0,0-2.49-2.49,4.76,4.76,0,0,0-3.66,0A4.76,4.76,0,0,0,254.93,30a4.54,4.54,0,0,0-.37,1.83L254.11,37Z"/>
+    <path class="cls-7" d="M242.9,98c-3.56-1.19-5.93-3.43-5.93-9.5,0-7.12,7.17-9.5,6.44-9.5H204.95a9.5,9.5,0,0,0,0,19H242"/>
+  </g>
+  <g>
+    <path class="cls-8" d="M184.34,86.36a23,23,0,1,1-23-23A22.88,22.88,0,0,1,184.34,86.36Z"/>
+    <path class="cls-9" d="M184.24,86.36a22.88,22.88,0,0,1-6.85,16.36L144.87,70.21a23,23,0,0,1,39.37,16.15Z"/>
+  </g>
+  <g>
+    <path class="cls-6" d="M179.58,86.38c0,3.76-8.17,13-18.24,13s-18.24-9.22-18.24-13c0-4.12,8.17-12,18.24-12S179.58,82.62,179.58,86.38Z"/>
+    <circle class="cls-3" cx="161.34" cy="86.88" r="8.64"/>
+    <circle class="cls-10" cx="161.34" cy="86.88" r="5.76"/>
+    <circle class="cls-3" cx="163.26" cy="84" r="2.88"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-prepare-office-1.svg b/bcs/images/bcs-partner-prepare-office-1.svg
new file mode 100644
index 0000000000..4a32ab1c8a
--- /dev/null
+++ b/bcs/images/bcs-partner-prepare-office-1.svg
@@ -0,0 +1,66 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-4 {
+        fill: #fff;
+      }
+
+      .cls-3 {
+        stroke: #bad80a;
+      }
+
+      .cls-3, .cls-6, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6, .cls-8 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #d83b01;
+      }
+
+      .cls-8 {
+        stroke-linecap: round;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-prepare-office-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M328.07,65.17l-8.31-1.58a33.25,33.25,0,0,0-.64-5.72l7.08-4.18a2.18,2.18,0,0,0,1.34-2.93l-1.87-5.18a1.88,1.88,0,0,0-2.65-1L314.58,46l-2.49-4.61L317.18,35a2.25,2.25,0,0,0,.13-3l-4-4.38c-.57-.62-1.77-.67-3-.13L303.51,32c-1.45-1-3.19-2.23-4.64-3.2l2.18-8.29A2.06,2.06,0,0,0,300,18l-5-2.31a1.9,1.9,0,0,0-2.74.77l-4.83,7.29a17.23,17.23,0,0,0-5.33-1.45l-.81-8.42a2.05,2.05,0,0,0-2-2.2l-5.69,0c-.89-.33-1.83.53-2.17,1.4l-1.9,8.61a17.72,17.72,0,0,0-5.44.94L259.94,15a3,3,0,0,0-2.65-1l-5.5,2.15a2,2,0,0,0-1.31,2.33l1.72,8.18c-1.53.83-3.09,2.25-4.64,3.09l-6.65-5.4a1.94,1.94,0,0,0-2.69.18l-2.61,2.38-1.45,1.34,0,0a1.93,1.93,0,0,0-.38,2.63L238.49,38c-1.28,1.74-2.84,3.17-3.52,4.94l-8.26-2.77a2.65,2.65,0,0,0-2.77,1.37l-2.33,5a2.6,2.6,0,0,0,1.07,3l7,4.51c-.69,1.77-.77,3.57-1.45,5.34l-8.42.81a2.63,2.63,0,0,0-1.91,2.31L217.64,68a2.61,2.61,0,0,0,1.67,2.49L228,71.74a34.62,34.62,0,0,0,.91,6l-7.69,4.15a1.9,1.9,0,0,0-1,2.66L222,89.76a2.8,2.8,0,0,0,2.63,1.61l8.48-2L235.62,94l-5.41,6.65a2.83,2.83,0,0,0,.18,2.71l4,4.37a2.26,2.26,0,0,0,2.66.43l7.13-4.78c1.45,1,3.19,2.25,4.64,3.2l-2.17,8.31a2,2,0,0,0,1.08,2.44l5.26,2.65a2.58,2.58,0,0,0,2.74-.78l4.51-7c1.8.08,3.57.77,5.36.85l.49,8.72a2.61,2.61,0,0,0,2.31,1.9l5.68.56a3.6,3.6,0,0,0,2.18-2l1.59-8.32c2.1-.21,3.92-.73,6-.92l3.86,7.37a2.06,2.06,0,0,0,2.66,1l5.17-1.87a2.44,2.44,0,0,0,1.63-2.63l-1.72-8.16a21,21,0,0,0,4.64-3.09l6.65,5.41a2,2,0,0,0,3,.13l3.73-3.41.33-.3a2.11,2.11,0,0,0,.73-1.51,2.06,2.06,0,0,0-.61-1.47l-4.77-7.13a14.75,14.75,0,0,0,3.52-4.93L321,95.13A2,2,0,0,0,323.44,94l2.65-5.28a3,3,0,0,0-.78-2.74L318,81.21a15.06,15.06,0,0,0,1.13-5.05l8.75-1.1c.91-.26,1.85-1.12,1.88-1.72l.27-6A2,2,0,0,0,328.07,65.17Zm-54.62,16a14.35,14.35,0,1,1,14.35-14.35A14.35,14.35,0,0,1,273.44,81.13Z"/>
+    <g>
+      <polygon class="cls-2" points="205.51 115 160.28 115 155.06 119 210.72 119 205.51 115"/>
+      <polygon class="cls-2" points="185.57 115.94 179.47 115.94 180.69 99.75 184.35 99.75 185.57 115.94"/>
+      <path class="cls-3" d="M144,61.52v-.59a23.88,23.88,0,0,0-.87-5.9A21.41,21.41,0,0,0,108,39.87c-5.19-6.54-11.83-9.79-20.69-9.79-15.63,0-27.42,13.64-27.69,29,0,1.06.26,1.85.26,2.91-8.21,4-13,10.86-13,19.6,0,12.49,9.83,22.5,22.85,23.24,1.2,8.67,9,16.73,22.29,16.73,11.24,0,17.94.91,26.14-8.32a27.62,27.62,0,0,0,13.07,3.56c15.75,0,28.61-14,28.61-29.7A29.21,29.21,0,0,0,144,61.52Z"/>
+      <rect class="cls-4" x="118" y="30" width="132" height="72" rx="4" ry="4" transform="translate(368 132) rotate(180)"/>
+      <path class="cls-5" d="M249,46V34.57a4.34,4.34,0,0,0-4.4-4.57H122.4A4.34,4.34,0,0,0,118,34.57V46Z"/>
+      <rect class="cls-6" x="118" y="30" width="132" height="72" rx="4" ry="4" transform="translate(368 132) rotate(180)"/>
+    </g>
+    <polygon class="cls-7" points="200 86 200 86 200 52.83 186.76 49 164.02 57.47 163.9 81.91 172 78.74 172 58.74 188 55.68 188 85.08 164.83 81.91 187 89.91 187 89.91 200.12 86.14 200 86 200 86"/>
+    <g>
+      <line class="cls-8" x1="90" y1="68" x2="135" y2="68"/>
+      <polygon class="cls-2" points="128.7 76.18 127.34 74.72 134.56 68 127.34 61.29 128.7 59.82 137.5 68 128.7 76.18"/>
+    </g>
+    <g>
+      <path class="cls-4" d="M293.7,70.4,298,73.9a3.06,3.06,0,0,1,1.44,3.17c-.74,2.05-1.77,5.08-3.09,5.33l-4.73,1.7A2,2,0,0,0,290,86.32l1.07,4c.28.77.43,1,1.28,1l3-.08,2.7-.09c2.43-.18,6,6.29,5.35,7.42l-2.69,4.65a2,2,0,0,0,.84,2.38l3.44,2.12a2.44,2.44,0,0,0,2.57-.27l3.12-4.39a2.8,2.8,0,0,1,3.27-.85c1.08.1,5,.89,5.63,2.66l1.51,5.15a2,2,0,0,0,2,1l4.37-.87a2,2,0,0,0,1.36-1.83l-.48-5.18c-.48-2.16.29-2.86,1.12-3.41,2.82-2.67,4.14-2.48,5.74-1.72l4.82,2.31a2.76,2.76,0,0,0,2.59-.27l2.28-3.87a2.45,2.45,0,0,0-.24-2.59l-4.42-3.12A3.29,3.29,0,0,1,339,86.87c.36-.8.28-4.29,2.87-5l4.93-2.09a.07.07,0,0,1,.06,0A1.56,1.56,0,0,0,348.16,78l-.78-3.88-.1-.48a2,2,0,0,0-1.8-1.36l-5.31,1c-1.27.16-3.67-1.76-3.67-1.76-3.21-2.56-2.33-4.62-1.69-5.77l2.68-4.57a2,2,0,0,0-.84-2.38l-3.25-2.53a2.27,2.27,0,0,0-2.77.63l-2.9,4a5,5,0,0,1-3.54,1.37c-.77-.36-1.75-.35-2.57-.73a3,3,0,0,1-2.84-2.33l-1.68-4.77s0-.08,0-.11a1.56,1.56,0,0,0-1.8-1.26l-4.37.89a2.46,2.46,0,0,0-1.54,2.21l.66,4.76c.43,2.13-3.92,5-3.92,5a2.54,2.54,0,0,1-3.18.43l-4.78-2.21a2.09,2.09,0,0,0-2.59.25S292.18,68.76,293.7,70.4ZM309.47,86.6a10.17,10.17,0,0,1-.74-2.34,10.77,10.77,0,0,1,8-12.69v0l.26,0a10.81,10.81,0,0,1,12.46,8.57.56.56,0,0,1,0,.13,10.27,10.27,0,0,1-7.81,12.16c-.32.08-.64.15-1,.22A10.41,10.41,0,0,1,309.47,86.6Z"/>
+      <path class="cls-5" d="M293.7,70.4,298,73.9a3.06,3.06,0,0,1,1.44,3.17c-.74,2.05-1.77,5.08-3.09,5.33l-4.73,1.7A2,2,0,0,0,290,86.32l1.07,4c.28.77.43,1,1.28,1l3-.08,14.1-4.65a10.17,10.17,0,0,1-.74-2.34,10.77,10.77,0,0,1,8-12.69v0l.26,0a10.81,10.81,0,0,1,12.46,8.57.56.56,0,0,1,0,.13l17.94-6.06-.1-.48a2,2,0,0,0-1.8-1.36l-5.31,1c-1.27.16-3.67-1.76-3.67-1.76-3.21-2.56-2.33-4.62-1.69-5.77l2.68-4.57a2,2,0,0,0-.84-2.38l-3.25-2.53a2.27,2.27,0,0,0-2.77.63l-2.9,4a5,5,0,0,1-3.54,1.37c-.77-.36-1.75-.35-2.57-.73a3,3,0,0,1-2.84-2.33l-1.68-4.77s0-.08,0-.11a1.56,1.56,0,0,0-1.8-1.26l-4.37.89a2.46,2.46,0,0,0-1.54,2.21l.66,4.76c.43,2.13-3.92,5-3.92,5a2.54,2.54,0,0,1-3.18.43l-4.78-2.21a2.09,2.09,0,0,0-2.59.25S292.18,68.76,293.7,70.4Z"/>
+      <path class="cls-6" d="M292.36,91.33c-.83,0-1-.27-1.27-1.05l-1.07-4a2,2,0,0,1,1.56-2.23l4.73-1.69c1.33-.25,2.36-3.29,3.1-5.33A3,3,0,0,0,298,73.9L293.7,70.4c-1.52-1.63,1.89-6,1.89-6a2.1,2.1,0,0,1,2.59-.26L303,66.36c1,.62,7.52-3.3,7.11-5.43l-.68-4.76a2.5,2.5,0,0,1,1.54-2.22l4.37-.88a1.55,1.55,0,0,1,1.8,1.25s0,.08,0,.12l1.69,4.76c.3,1.33,8,2.6,8.94,1.7l2.91-4a2.27,2.27,0,0,1,2.77-.64l3.24,2.53a2,2,0,0,1,.84,2.38l-2.69,4.59c-.64,1.14-1.52,3.19,1.69,5.76,0,0,2.4,1.91,3.67,1.75l5.3-1a2,2,0,0,1,1.82,1.37l.88,4.37a1.55,1.55,0,0,1-1.34,1.73h-.05l-4.93,2.09c-2.59.75-2.51,4.24-2.86,5a3.3,3.3,0,0,0,1.27,3.56l4.41,3.12a2.46,2.46,0,0,1,.26,2.59L342.64,100a2.78,2.78,0,0,1-2.59.26L335.23,98c-1.6-.77-2.92-1-5.74,1.72-.83.54-1.59,1.24-1.13,3.41l.49,5.17a2,2,0,0,1-1.37,1.82l-4.37.88a2,2,0,0,1-2-1l-1.5-5.14c-.62-1.78-8.13-2.8-8.91-1.81l-3.12,4.41a2.44,2.44,0,0,1-2.57.25l-3.43-2.12a2,2,0,0,1-.84-2.38l2.68-4.64c.63-1.13-2.92-7.61-5.35-7.42Z"/>
+      <circle class="cls-6" cx="319.05" cy="82.16" r="10.65" transform="translate(94.15 322.92) rotate(-61.39)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-remove-3.svg b/bcs/images/bcs-partner-remove-3.svg
new file mode 100644
index 0000000000..c0391193d3
--- /dev/null
+++ b/bcs/images/bcs-partner-remove-3.svg
@@ -0,0 +1,150 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4, .cls-5, .cls-8 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-4, .cls-5, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        stroke-linecap: round;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7, .cls-8 {
+        stroke: #a80000;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-remove-3</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="144" y="115" width="144" height="8"/>
+      <polygon class="cls-2" points="237.51 113 192.28 113 187.06 117 242.72 117 237.51 113"/>
+      <polygon class="cls-2" points="217.57 113.94 211.47 113.94 212.69 97.75 216.35 97.75 217.57 113.94"/>
+      <rect class="cls-3" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+      <path class="cls-1" d="M281.45,44V32.57A4.71,4.71,0,0,0,276.61,28H154.4a4.71,4.71,0,0,0-4.84,4.57V44Z"/>
+      <rect class="cls-4" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+    </g>
+    <g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="237" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="74" width="4" height="4"/>
+        </g>
+      </g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="86" width="4" height="4"/>
+        </g>
+      </g>
+    </g>
+    <g>
+      <line class="cls-5" x1="117" y1="69" x2="140.66" y2="69"/>
+      <polygon class="cls-2" points="135.02 75.95 133.86 74.71 140 69 133.86 63.29 135.02 62.05 142.5 69 135.02 75.95"/>
+    </g>
+    <g>
+      <line class="cls-5" x1="305.5" y1="69" x2="329.16" y2="69"/>
+      <polygon class="cls-2" points="323.52 75.95 322.36 74.71 328.5 69 322.36 63.29 323.52 62.05 331 69 323.52 75.95"/>
+    </g>
+    <g>
+      <circle class="cls-6" cx="94.5" cy="55" r="18"/>
+      <path class="cls-6" d="M67,100a27.5,27.5,0,0,1,55,0"/>
+    </g>
+    <circle class="cls-7" cx="282" cy="68" r="17"/>
+    <line class="cls-8" x1="293" y1="80" x2="269" y2="56"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-reset-windows-4.svg b/bcs/images/bcs-partner-reset-windows-4.svg
new file mode 100644
index 0000000000..a4edc0ec2e
--- /dev/null
+++ b/bcs/images/bcs-partner-reset-windows-4.svg
@@ -0,0 +1,85 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1, .cls-4, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-1 {
+        stroke: #bad80a;
+      }
+
+      .cls-1, .cls-6 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-5 {
+        fill: #c8edfb;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-7 {
+        fill: #2bc7f4;
+      }
+
+      .cls-7, .cls-8 {
+        fill-rule: evenodd;
+      }
+
+      .cls-9 {
+        fill: #9273b6;
+      }
+
+      .cls-10 {
+        fill: #e5e5e5;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-reset-windows-4</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M283.19,39.54h-3.32c-2,.64-4,1.18-5.89,1.64a31,31,0,0,0-54.26-19.64,35.06,35.06,0,0,0-20.34-6.63c-15.29,0-29,11.23-30.59,24.84A28,28,0,0,0,131,66c0,13.38,9.39,27.56,21.93,30.33a16.66,16.66,0,0,0,5.78.67H283.19C299.79,97,311,82.06,311,67.14,311,51.48,299.79,39.54,283.19,39.54Z"/>
+    <g>
+      <polygon class="cls-2" points="213.92 129 111.99 129 118.36 122 207.96 122 213.92 129"/>
+      <polygon class="cls-3" points="204.34 127 121.57 127 124.48 124 201.52 124 204.34 127"/>
+      <polygon class="cls-2" points="185.51 115 140.28 115 135.06 119 190.72 119 185.51 115"/>
+      <polygon class="cls-2" points="165.57 115.94 159.47 115.94 160.69 103.75 164.35 103.75 165.57 115.94"/>
+      <rect class="cls-4" x="98" y="34" width="132" height="72" rx="4" ry="4" transform="translate(328 140) rotate(180)"/>
+      <path class="cls-5" d="M229.45,50V38.57A4.71,4.71,0,0,0,224.61,34H102.4a4.71,4.71,0,0,0-4.84,4.57V50Z"/>
+      <rect class="cls-6" x="98" y="34" width="132" height="72" rx="4" ry="4" transform="translate(328 140) rotate(180)"/>
+    </g>
+    <g>
+      <path class="cls-6" d="M137.51,83.4a26.51,26.51,0,1,0-1.34-23.87"/>
+      <polygon class="cls-2" points="136.31 58.52 136.31 44 134 44 134 60.94 150.84 60.94 150.84 58.52 136.31 58.52"/>
+    </g>
+    <path class="cls-7" d="M260.54,44.69l-3.79-.54c-.27-.81-.27-1.62-.54-2.43l3.25-1.89a1,1,0,0,0,.54-1.35l-1.08-2.16c0-.54-.54-.81-1.08-.81L254,36.58a5.89,5.89,0,0,0-1.35-2.16l2.17-3.24a.82.82,0,0,0,0-1.08L253,28.2a.82.82,0,0,0-1.08,0l-3.25,2.16c-.54-.54-1.35-.81-1.89-1.35l.81-3.79c.27-.27,0-.81-.54-1.08l-2.17-.81a1.19,1.19,0,0,0-1.35.27l-1.89,3.24c-.81-.27-1.62-.27-2.71-.54l-.54-3.79a.86.86,0,0,0-.81-.81h-2.71a.86.86,0,0,0-.81.81l-.54,3.79c-.81.27-1.62.27-2.44.54l-1.89-3.24c-.27-.54-.81-.54-1.35-.54l-2.44,1.08c-.27,0-.54.54-.54,1.08L225.89,29a5.89,5.89,0,0,0-2.17,1.35l-3.25-2.16a.82.82,0,0,0-1.08,0l-1.89,1.89a.82.82,0,0,0,0,1.08l2.17,3.24c-.54.54-.81,1.35-1.35,1.89l-3.79-.81c-.27-.27-.81,0-1.08.54l-1.08,2.16c0,.54,0,1.08.54,1.35l3.25,1.89c-.27.81-.27,1.89-.54,2.7l-3.79.54a.86.86,0,0,0-.81.81v2.7a.72.72,0,0,0,.81.81l3.79.54a7.89,7.89,0,0,0,.54,2.43l-3.25,1.89a1,1,0,0,0-.54,1.35l1.08,2.43c0,.27.54.54,1.08.54l3.79-1.08a5.89,5.89,0,0,0,1.35,2.16l-2.17,3.24a1.21,1.21,0,0,0,0,1.35l1.89,1.62c.27.27.81.54,1.08.27l3.25-2.43a4.86,4.86,0,0,0,1.89,1.35l-.81,3.79c-.27.27,0,.81.54,1.08l2.17,1.08c.54,0,1.08,0,1.35-.54l1.89-3.24a8,8,0,0,0,2.71.54l.54,3.79a.86.86,0,0,0,.81.81h2.71a.86.86,0,0,0,.81-.81l.54-3.79a7.91,7.91,0,0,0,2.44-.54l1.89,3.24a1,1,0,0,0,1.35.54L247,69.57c.27,0,.54-.54.54-1.08l-1.08-3.79a5.89,5.89,0,0,0,2.17-1.35l3.25,2.43c.27.27.81,0,1.08-.27l1.89-1.62a1.21,1.21,0,0,0,0-1.35l-2.17-3.24A11.45,11.45,0,0,0,254,57.4l3.79,1.08a1.45,1.45,0,0,0,1.08-.81L260,55.51c0-.54,0-1.08-.54-1.35l-3.25-1.89c.27-.81.27-1.62.54-2.7l3.79-.54a.72.72,0,0,0,.81-.81V45.5a.86.86,0,0,0-.81-.81Z"/>
+    <path class="cls-8" d="M251.6,50.91a1.25,1.25,0,0,1-1.89.81l-6.23-4.06c-.81-.27-.81-1.08,0-1.62L249.71,42a1.4,1.4,0,0,1,1.89.81,19.71,19.71,0,0,1,.54,4.06,16.56,16.56,0,0,1-.54,4.06Z"/>
+    <path class="cls-8" d="M250,38.74a1.24,1.24,0,0,1-.81,1.89l-7.31,1.62c-.81.27-1.35-.27-1.08-1.08l1.62-7.3c.27-1.08,1.08-1.35,1.89-.81a17.88,17.88,0,0,1,3.25,2.43A17.86,17.86,0,0,1,250,38.74Z"/>
+    <path class="cls-8" d="M232.11,31.17a15.51,15.51,0,0,1,8.12,0,1.24,1.24,0,0,1,.81,1.89L237,39.55c-.54.81-1.35.81-1.62,0l-4.06-6.49a1.24,1.24,0,0,1,.81-1.89Z"/>
+    <path class="cls-8" d="M240.23,46.85a4.06,4.06,0,0,1-8.12,0,4.07,4.07,0,0,1,8.12,0Z"/>
+    <path class="cls-8" d="M228.05,32.79a1.25,1.25,0,0,1,1.89.81l1.62,7.3c.27.81-.27,1.35-1.35,1.35l-7-1.89c-1.08-.27-1.35-1.08-.81-1.89a9.76,9.76,0,0,1,2.44-3.24,17.88,17.88,0,0,1,3.25-2.43Z"/>
+    <path class="cls-8" d="M220.47,50.64a16.56,16.56,0,0,1-.54-4.06,19.71,19.71,0,0,1,.54-4.06,1.16,1.16,0,0,1,1.89-.54l6.5,3.79a1,1,0,0,1,0,1.89l-6.5,3.79c-.81.54-1.62.27-1.89-.81Z"/>
+    <path class="cls-8" d="M222.1,55a1.19,1.19,0,0,1,.81-1.89l7.31-1.89c.81-.27,1.35.27,1.35,1.35l-1.89,7.3a1.4,1.4,0,0,1-1.89.81,17.88,17.88,0,0,1-3.25-2.43C223.18,56.59,222.1,55,222.1,55Z"/>
+    <path class="cls-8" d="M240,62.27a16.61,16.61,0,0,1-4.06.54,19.77,19.77,0,0,1-4.06-.54,1.4,1.4,0,0,1-.81-1.89l4.06-6.22c.54-.81,1.35-.81,1.62,0l4.06,6.22c.54.81.27,1.62-.81,1.89Z"/>
+    <path class="cls-8" d="M244,60.64c-.81.54-1.62.27-1.89-.81l-1.62-7.3c-.27-.81.27-1.35,1.35-1.08l7.31,1.62A1.4,1.4,0,0,1,250,55a17.86,17.86,0,0,1-2.44,3.24A28.06,28.06,0,0,1,244,60.64Z"/>
+    <path class="cls-9" d="M249.73,101.58l.62-2.23c.29-.83.59-1.11,1.15-1.09l1.28-.38a1.43,1.43,0,0,1,1.53.45l1.5,1.87a.9.9,0,0,0,1.13,0l1.44-1.09a1.09,1.09,0,0,0,.31-1.11l-1.34-2a1.26,1.26,0,0,1,.18-1.51,12.6,12.6,0,0,1,.73-1.25c.15-.44.44-.7,1.29-.67l2.39.2a.9.9,0,0,0,.72-.68l.34-2a.9.9,0,0,0-.54-.86l-2.24-.63c-1-.16-1.15-.59-1.24-1-.2-.8-.81-1.91.21-2.67l1.74-1.64a1.24,1.24,0,0,0,.31-1.12L260,80.62a1.1,1.1,0,0,0-1.12-.31l-2,1.34a1.48,1.48,0,0,1-1.69,0c-.28-.27-1.67-1.16-1.64-2l-.07-2.39v0a.69.69,0,0,0-.51-.84L251,76a.9.9,0,0,0-.86.54l-.46,2.36c-.14.56-1.32,1.25-1.32,1.25-1.6.65-2.3.23-2.68-.23l-1.48-1.86a.9.9,0,0,0-1.13,0L241.5,79a1,1,0,0,0-.18,1.26l1.21,1.86a2.25,2.25,0,0,1,0,1.69c-.28.27-1.55,1.85-2.15,1.76l-2.26-.07h-.05a.69.69,0,0,0-.81.55l-.34,2a1.12,1.12,0,0,0,.68,1l2.09.49c1,.17,1.44,2.44,1.44,2.44a1.14,1.14,0,0,1-.33,1.4l-1.7,1.63a.94.94,0,0,0-.31,1.12L240,97.63a1.06,1.06,0,0,0,1,.18l2.15-1.21a1.57,1.57,0,0,1,1.55-.09c1.71,1,1.83,1.56,1.72,2.15l-.06,2.25a.9.9,0,0,0,.68,1l1.82.19a.9.9,0,0,0,.86-.54m-4.58-13.21,0-.12a4.79,4.79,0,0,1,5.6-3.8,4.72,4.72,0,0,1,3.93,5.32q0,.22-.06.44a4.6,4.6,0,0,1-5.4,3.63,5,5,0,0,1-4.07-5.46"/>
+    <g>
+      <path class="cls-4" d="M263.87,60l3.2,2.63a2.3,2.3,0,0,1,1.08,2.38c-.56,1.54-1.33,3.82-2.32,4l-3.55,1.27A1.52,1.52,0,0,0,261.11,72l.8,3c.21.58.33.76,1,.79l2.25-.06,2-.07c1.83-.13,4.49,4.73,4,5.58l-2,3.49a1.5,1.5,0,0,0,.63,1.79l2.58,1.59a1.83,1.83,0,0,0,1.93-.2l2.35-3.3A2.1,2.1,0,0,1,279.1,84c.81.08,3.77.67,4.23,2l1.14,3.87a1.5,1.5,0,0,0,1.5.72l3.29-.66a1.54,1.54,0,0,0,1-1.38l-.36-3.89c-.36-1.62.22-2.15.84-2.56,2.12-2,3.11-1.87,4.32-1.29l3.62,1.74a2.07,2.07,0,0,0,1.94-.2l1.71-2.91a1.84,1.84,0,0,0-.18-1.94l-3.32-2.35a2.47,2.47,0,0,1-1-2.67c.27-.6.21-3.22,2.15-3.78l3.7-1.57h0a1.17,1.17,0,0,0,1-1.31l-.59-2.92-.08-.36a1.48,1.48,0,0,0-1.36-1l-4,.72c-1,.12-2.75-1.32-2.75-1.32-2.42-1.92-1.75-3.47-1.27-4.34l2-3.44a1.5,1.5,0,0,0-.63-1.79l-2.44-1.9a1.7,1.7,0,0,0-2.08.47l-2.18,3a3.78,3.78,0,0,1-2.66,1c-.58-.27-1.32-.26-1.93-.55a2.26,2.26,0,0,1-2.13-1.75L281.46,48s0-.06,0-.09A1.17,1.17,0,0,0,280.1,47l-3.28.67a1.85,1.85,0,0,0-1.16,1.66l.5,3.58c.32,1.6-2.94,3.75-2.94,3.75a1.91,1.91,0,0,1-2.39.33l-3.59-1.66a1.57,1.57,0,0,0-1.95.19S262.73,58.81,263.87,60Zm11.85,12.18a7.64,7.64,0,0,1-.55-1.76,8.09,8.09,0,0,1,6-9.53v0l.2,0a8.12,8.12,0,0,1,9.36,6.44.42.42,0,0,1,0,.1,7.72,7.72,0,0,1-5.87,9.13l-.73.16A7.82,7.82,0,0,1,275.72,72.22Z"/>
+      <path class="cls-10" d="M263.87,60l3.2,2.63a2.3,2.3,0,0,1,1.08,2.38c-.56,1.54-1.33,3.82-2.32,4l-3.55,1.27A1.52,1.52,0,0,0,261.11,72l.8,3c.21.58.33.76,1,.79l2.25-.06,10.6-3.49a7.64,7.64,0,0,1-.55-1.76,8.09,8.09,0,0,1,6-9.53v0l.2,0a8.12,8.12,0,0,1,9.36,6.44.42.42,0,0,1,0,.1l13.48-4.55-.08-.36a1.48,1.48,0,0,0-1.36-1l-4,.72c-1,.12-2.75-1.32-2.75-1.32-2.42-1.92-1.75-3.47-1.27-4.34l2-3.44a1.5,1.5,0,0,0-.63-1.79l-2.44-1.9a1.7,1.7,0,0,0-2.08.47l-2.18,3a3.78,3.78,0,0,1-2.66,1c-.58-.27-1.32-.26-1.93-.55a2.26,2.26,0,0,1-2.13-1.75L281.46,48s0-.06,0-.09A1.17,1.17,0,0,0,280.1,47l-3.28.67a1.85,1.85,0,0,0-1.16,1.66l.5,3.58c.32,1.6-2.94,3.75-2.94,3.75a1.91,1.91,0,0,1-2.39.33l-3.59-1.66a1.57,1.57,0,0,0-1.95.19S262.73,58.81,263.87,60Z"/>
+      <path class="cls-6" d="M262.86,75.77c-.62,0-.75-.2-1-.79l-.81-3a1.51,1.51,0,0,1,1.17-1.67l3.55-1.27c1-.19,1.77-2.47,2.33-4a2.29,2.29,0,0,0-1.09-2.38L263.88,60c-1.14-1.22,1.42-4.52,1.42-4.52a1.58,1.58,0,0,1,1.95-.19L270.83,57c.78.47,5.65-2.48,5.34-4.08l-.51-3.58a1.88,1.88,0,0,1,1.16-1.67L280.1,47a1.16,1.16,0,0,1,1.35.94V48l1.27,3.58c.23,1,6,2,6.72,1.28l2.18-3a1.71,1.71,0,0,1,2.08-.48l2.44,1.9a1.51,1.51,0,0,1,.63,1.79l-2,3.45c-.48.86-1.14,2.4,1.27,4.33,0,0,1.8,1.43,2.76,1.31l4-.72a1.51,1.51,0,0,1,1.37,1l.66,3.28a1.16,1.16,0,0,1-1,1.3h0L300,68.63c-1.94.56-1.89,3.18-2.15,3.78a2.48,2.48,0,0,0,1,2.68l3.31,2.34a1.85,1.85,0,0,1,.19,1.95l-1.72,2.91a2.09,2.09,0,0,1-1.95.19l-3.62-1.73c-1.2-.58-2.2-.72-4.31,1.29-.62.4-1.2.94-.85,2.56l.37,3.89a1.51,1.51,0,0,1-1,1.37l-3.28.66a1.51,1.51,0,0,1-1.51-.72l-1.13-3.86c-.47-1.34-6.11-2.1-6.7-1.36L274.3,87.9a1.83,1.83,0,0,1-1.93.19l-2.58-1.59a1.51,1.51,0,0,1-.63-1.79l2-3.48c.47-.85-2.19-5.71-4-5.58Z"/>
+      <circle class="cls-6" cx="282.92" cy="68.88" r="8" transform="translate(86.98 284.28) rotate(-61.39)"/>
+    </g>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-partner-upgrade-2.svg b/bcs/images/bcs-partner-upgrade-2.svg
new file mode 100644
index 0000000000..6caf6e7678
--- /dev/null
+++ b/bcs/images/bcs-partner-upgrade-2.svg
@@ -0,0 +1,60 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3 {
+        fill: #adbdca;
+      }
+
+      .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-5 {
+        fill: #e5e5e5;
+      }
+
+      .cls-6 {
+        fill: none;
+        stroke: #556a8a;
+      }
+
+      .cls-6, .cls-7 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-7 {
+        stroke: #00bcf2;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+    </style>
+  </defs>
+  <title>bcs-partner-upgrade-2</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M300.29,67.13a39.37,39.37,0,0,0-77.71-1.23,26.79,26.79,0,0,0-43,13.62A23.42,23.42,0,1,0,174,125.67H305.76c13.37-2.71,23.43-15.12,23.43-29.28A29.27,29.27,0,0,0,300.29,67.13Z"/>
+    <g>
+      <polygon class="cls-2" points="252 130 135 130 142.32 122 245.15 122 252 130"/>
+      <polygon class="cls-3" points="241 128 146 128 149.34 124 237.76 124 241 128"/>
+      <polygon class="cls-2" points="216 110 164 110 158 116 222 116 216 110"/>
+      <polygon class="cls-2" points="195.25 115.25 188.25 115.25 189.65 101.25 193.85 101.25 195.25 115.25"/>
+      <rect class="cls-4" x="116" y="21" width="151" height="82" rx="4" ry="4"/>
+      <path class="cls-5" d="M267,26V38H116V26a4,4,0,0,1,4-4H263A4,4,0,0,1,267,26Z"/>
+      <rect class="cls-6" x="116" y="22" width="151" height="82" rx="4" ry="4" transform="translate(383 126) rotate(180)"/>
+    </g>
+    <polygon class="cls-2" points="208.64 63.12 191 45.33 191 89 189 89 189 45.33 171.43 63.12 170.06 61.71 190.06 41.5 210.05 61.71 208.64 63.12"/>
+    <path class="cls-7" d="M134.21,35.37v-.42a16.83,16.83,0,0,0-.55-4.18A15.14,15.14,0,0,0,108.79,20a17.52,17.52,0,0,0-14.66-6.94c-11.08,0-19.43,9.67-19.62,20.55,0,.75.19,1.31.19,2.07-5.82,2.82-9.2,7.7-9.2,13.89,0,8.86,7,16,16.2,16.47.85,6.15,6.36,11.86,15.8,11.86,8,0,12.72.64,18.53-5.89a19.58,19.58,0,0,0,9.26,2.53c11.16,0,20.21-9.89,20.21-21.05A20.21,20.21,0,0,0,134.21,35.37Z"/>
+    <path class="cls-8" d="M109,65.3a1.32,1.32,0,0,0,1.44.53l2.64-.84a1.41,1.41,0,0,0,.7-1.69L113,60a2,2,0,0,1,.75-2.32c.32-.51.89-.87,1.2-1.37a2.37,2.37,0,0,1,2.32-.34l3.54,1.13a1.6,1.6,0,0,0,1.39-.55l1.32-2.71c.16-.25,0-1.06-.8-1.55l-3.06-1.89a1.73,1.73,0,0,1-.91-2l-.24-.25a2.3,2.3,0,0,0,.28-1.59c-.2-.82,0-1.75,1.41-2.3l3-1.35a1.68,1.68,0,0,0,.69-1.69l-1.06-2.8a1.06,1.06,0,0,0-1.39-.55l0,0-3.29.83a2,2,0,0,1-2.35-.75c-.51-.32-.87-.89-1.37-1.2a3.4,3.4,0,0,1-.59-2.48L115,31.16a1.53,1.53,0,0,0-.64-1.82l-2.62-.91a1.29,1.29,0,0,0-1.66.39L108.42,32a2.16,2.16,0,0,1-2.11,1.16,6.56,6.56,0,0,0-1.75,0L104.3,33a2.24,2.24,0,0,1-2.07-1.23l-1.48-3.36a1.32,1.32,0,0,0-1.44-.53L96.53,29A1.06,1.06,0,0,0,96,30.37l0,0L96.62,34c.3,1.23,0,1.75-.59,2.11-.32.51-.89.87-1.2,1.37a2.23,2.23,0,0,1-2.48.58L89,36.66a1.65,1.65,0,0,0-1.51.84l-1.37,2.71a1.88,1.88,0,0,0,.8,1.55L90,43.65c1.06.63,1.37,1.2.9,2a14.46,14.46,0,0,0,.23,1.91c-.05.64-.12,1.33-1.51,1.88L86.46,51a1.32,1.32,0,0,0-.54,1.44L87,55.25a1.35,1.35,0,0,0,1.28.79L91.72,55c1.23-.3,1.75,0,2.11.59a19,19,0,0,1,1.47,1.61A1.9,1.9,0,0,1,96,59.42L94.65,62.8a1.65,1.65,0,0,0,.8,1.55l2.46,1.16a1.29,1.29,0,0,0,1.66-.39l1.68-3.22a2.11,2.11,0,0,1,2.11-1.16l2,.18c.82-.19,1.34.12,2,1.26l1.6,3.1m2.73-20.88a7.46,7.46,0,0,1-4.34,9.32A6.93,6.93,0,0,1,98,49.36a7.12,7.12,0,0,1,4.22-9.05,7.22,7.22,0,0,1,9.43,3.91l.07.17"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-user-management-add-customer-1.svg b/bcs/images/bcs-user-management-add-customer-1.svg
new file mode 100644
index 0000000000..ce7d0b8c16
--- /dev/null
+++ b/bcs/images/bcs-user-management-add-customer-1.svg
@@ -0,0 +1,99 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #80def9;
+        opacity: 0.7;
+      }
+
+      .cls-10, .cls-2 {
+        fill: none;
+      }
+
+      .cls-10, .cls-11, .cls-2 {
+        stroke: #556a8a;
+      }
+
+      .cls-10, .cls-11, .cls-2, .cls-4 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke-dasharray: 3 3;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-11, .cls-4, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4 {
+        stroke: #00bcf2;
+      }
+
+      .cls-5 {
+        fill: #ff9f2b;
+      }
+
+      .cls-6 {
+        fill: #ff8c00;
+      }
+
+      .cls-8 {
+        fill: #e5e5e5;
+      }
+
+      .cls-9 {
+        fill: #2bc7f4;
+      }
+
+      .cls-12 {
+        fill: #008272;
+      }
+    </style>
+  </defs>
+  <title>bcs-user-management-add-customer-1</title>
+  <g id="ICONS">
+    <path class="cls-1" d="M142.81,117.84a27.43,27.43,0,0,1,0-54.85,26.16,26.16,0,0,1,2.87.16A30.78,30.78,0,0,1,188.9,47.57a43.37,43.37,0,0,1,83.57,3.94A33.42,33.42,0,0,1,302,84.56c0,16.11-11.2,30.07-26.63,33.2l-.39.08Z"/>
+    <g>
+      <polyline class="cls-2" points="158.67 87.27 198.08 87.05 237.72 44.49 316.18 44.13"/>
+      <polygon class="cls-3" points="309.59 52.34 308.22 50.88 315.41 44.13 308.16 37.45 309.51 35.98 318.35 44.12 309.59 52.34"/>
+    </g>
+    <path class="cls-4" d="M155.51,63.83v-.6a24.19,24.19,0,0,0-.78-6A21.75,21.75,0,0,0,119,41.78c-5.29-6.66-12-10-21.06-10C82,31.8,70,45.69,69.72,61.34c0,1.08.27,1.89.27,3-8.36,4-13.22,11.06-13.22,20,0,12.73,10,22.92,23.27,23.67,1.22,8.83,9.14,17,22.71,17,11.45,0,18.27.93,26.62-8.47a28.13,28.13,0,0,0,13.31,3.63c16,0,29-14.21,29-30.25A29,29,0,0,0,155.51,63.83Z"/>
+    <g>
+      <g>
+        <g>
+          <path class="cls-5" d="M101.73,99.37c-.89.29-1.84.56-2.83.83C104.84,75.54,116.55,80,116.55,80l1.91,1.81.07.23C118.94,83.68,120.53,93.41,101.73,99.37Z"/>
+          <path class="cls-6" d="M101.73,99.37c5.81-20.31,15.79-17.66,16.8-17.33C118.94,83.68,120.53,93.41,101.73,99.37Z"/>
+          <polygon class="cls-3" points="119.46 86.7 111.16 78.4 117.8 76.74 120.91 79.87 119.46 86.7"/>
+        </g>
+        <polygon class="cls-3" points="121.11 68.31 98.7 67.48 95.38 64.16 114.47 55.03 122.45 58.03 121.11 68.31"/>
+        <polygon class="cls-3" points="130.6 75.08 131.43 97.5 134.75 100.82 143.88 81.72 140.89 73.74 130.6 75.08"/>
+        <g>
+          <path class="cls-7" d="M126.13,85h-.25l-.2-.18L113.85,72.45l0-.29a49,49,0,0,1,13.44-23.81C138.08,37.67,163.12,33.17,164.18,33l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C138.91,81.93,127.12,85,126.13,85Z"/>
+          <path class="cls-8" d="M162.89,41.52c-2,8.35-6.29,22.81-13.62,30.17-10.82,10.9-22.6,13.16-23.21,13.28l-6.6-6.6s2.1-12.12,13.29-23.25C140.1,47.81,154.53,43.5,162.89,41.52Z"/>
+          <path class="cls-9" d="M143,39.37l1.07-.39a122.11,122.11,0,0,1,19.75-5.32l1-.17-.17,1a122.35,122.35,0,0,1-5.32,19.75l-.39,1.07Z"/>
+          <path class="cls-10" d="M126.13,85h-.25l-.2-.18L113.85,72.45l0-.29a49,49,0,0,1,13.44-23.81C138.08,37.67,163.12,33.17,164.18,33l.82-.14-.14.82s-.44,2.61-1.33,6.4c-2.44,10.26-6.81,24-13.77,31C138.91,81.93,127.12,85,126.13,85Z"/>
+        </g>
+      </g>
+      <circle class="cls-11" cx="137.81" cy="59.56" r="6"/>
+    </g>
+    <g>
+      <circle class="cls-11" cx="231.39" cy="48.89" r="25"/>
+      <g>
+        <circle class="cls-4" cx="231.75" cy="40.41" r="8.44"/>
+        <path class="cls-4" d="M218.25,62.34a13.5,13.5,0,1,1,27,0"/>
+      </g>
+    </g>
+    <g>
+      <circle class="cls-4" cx="198.08" cy="87.37" r="13"/>
+      <rect class="cls-12" x="196.13" y="78.27" width="3.9" height="18.2"/>
+      <rect class="cls-12" x="196.13" y="78.27" width="3.9" height="18.2" transform="translate(110.71 285.45) rotate(-90)"/>
+    </g>
+    <path class="cls-4" d="M302.43,79.92v-.31a12.41,12.41,0,0,0-.4-3.08,11.16,11.16,0,0,0-18.35-7.93,12.92,12.92,0,0,0-10.81-5.12c-8.17,0-14.33,7.13-14.47,15.16,0,.55.14,1,.14,1.52-4.29,2.08-6.78,5.68-6.78,10.25a12.27,12.27,0,0,0,11.95,12.15c.63,4.53,4.69,8.75,11.65,8.75,5.87,0,9.38.47,13.66-4.35a14.44,14.44,0,0,0,6.83,1.86c8.23,0,14.91-7.29,14.91-15.53A14.9,14.9,0,0,0,302.43,79.92Z"/>
+  </g>
+</svg>
diff --git a/bcs/images/bcs-user-management-remove-customer-2.svg b/bcs/images/bcs-user-management-remove-customer-2.svg
new file mode 100644
index 0000000000..d6e01e0d1e
--- /dev/null
+++ b/bcs/images/bcs-user-management-remove-customer-2.svg
@@ -0,0 +1,150 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55d2f6;
+      }
+
+      .cls-2 {
+        fill: #556a8a;
+      }
+
+      .cls-3, .cls-7 {
+        fill: #fff;
+      }
+
+      .cls-4, .cls-5, .cls-8 {
+        fill: none;
+      }
+
+      .cls-4, .cls-5, .cls-6 {
+        stroke: #556a8a;
+      }
+
+      .cls-4, .cls-5, .cls-6, .cls-7, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-5 {
+        stroke-linecap: round;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7, .cls-8 {
+        stroke: #a80000;
+      }
+    </style>
+  </defs>
+  <title>bcs-user-management-remove-customer-2</title>
+  <g id="ICONS">
+    <g>
+      <rect class="cls-1" x="144" y="115" width="144" height="8"/>
+      <polygon class="cls-2" points="237.51 113 192.28 113 187.06 117 242.72 117 237.51 113"/>
+      <polygon class="cls-2" points="217.57 113.94 211.47 113.94 212.69 97.75 216.35 97.75 217.57 113.94"/>
+      <rect class="cls-3" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+      <path class="cls-1" d="M281.45,44V32.57A4.71,4.71,0,0,0,276.61,28H154.4a4.71,4.71,0,0,0-4.84,4.57V44Z"/>
+      <rect class="cls-4" x="150" y="28" width="132" height="72" rx="4" ry="4" transform="translate(432 128) rotate(180)"/>
+    </g>
+    <g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="68" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="50" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="56" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="62" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="237" y="68" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="74" width="4" height="4"/>
+        </g>
+      </g>
+      <g>
+        <g>
+          <rect class="cls-2" x="177" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="177" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="183" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="183" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="189" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="195" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="80" width="4" height="4"/>
+        </g>
+        <g>
+          <rect class="cls-2" x="201" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="213" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="219" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="74" width="4" height="4"/>
+          <rect class="cls-2" x="225" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="231" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="207" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="80" width="4" height="4"/>
+          <rect class="cls-2" x="189" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="195" y="86" width="4" height="4"/>
+          <rect class="cls-2" x="201" y="86" width="4" height="4"/>
+        </g>
+      </g>
+    </g>
+    <g>
+      <line class="cls-5" x1="117" y1="69" x2="140.66" y2="69"/>
+      <polygon class="cls-2" points="135.02 75.95 133.86 74.71 140 69 133.86 63.29 135.02 62.05 142.5 69 135.02 75.95"/>
+    </g>
+    <g>
+      <line class="cls-5" x1="305.5" y1="69" x2="329.16" y2="69"/>
+      <polygon class="cls-2" points="323.52 75.95 322.36 74.71 328.5 69 322.36 63.29 323.52 62.05 331 69 323.52 75.95"/>
+    </g>
+    <g>
+      <circle class="cls-6" cx="94.5" cy="55" r="18"/>
+      <path class="cls-6" d="M67,100a27.5,27.5,0,0,1,55,0"/>
+    </g>
+    <circle class="cls-7" cx="282" cy="68" r="17"/>
+    <line class="cls-8" x1="293" y1="80" x2="269" y2="56"/>
+  </g>
+</svg>
diff --git a/bcs/index.md b/bcs/index.md
index 867e2c8492..5dd5c165dc 100644
--- a/bcs/index.md
+++ b/bcs/index.md
@@ -1 +1,945 @@
-# Placeholder
\ No newline at end of file
+--- 
+layout: HubPage
+hide_bc: true
+author: CelesteDG
+ms.author: celested
+ms.topic: hub-page
+ms.localizationpriority: high
+audience: microsoft-business 
+title: Microsoft 365 Business documentation and resources
+description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners.
+---
+<div id="main" class="v2">
+    <div class="container">
+        <ul class="cardsY panelContent featuredContent">
+            <li>
+                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/ih_learn-about.svg" src="/media/common/ih_learn-about.png" alt="Learn about Microsoft 365 Business" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">Learn about<br />Microsoft 365 Business</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
+            <li>
+                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/ih_tools.svg" src="/media/common/ih_tools.png" alt="Get started using Microsoft 365 Business" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">For Partners and IT admins:<br />Get Started with Microsoft 365 Business</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
+        </ul>
+    </div>
+    <div class="container">
+        <h1>Microsoft 365 Business documentation and resources</h1>
+        <ul class="pivots">
+            <li>
+                <a href="#partner-it">Partner/IT admin</a>
+                <ul id="partner-it">
+                    <li>
+                        <a data-default="true" href="#getstarted">Get Started</a>
+                        <ul id="getstarted" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Learn how you can bring together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data for small and midsize businesses (SMB).</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-learn-about-1.svg" alt="Learn more about Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Learn about Microsoft 365 Business</h3>
+                                                    <p>Want to learn more about Microsoft 365 Business? Start here.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="support/microsoft-365-business-faqs.md">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-faq-2.svg" alt="Browse the list of frequently asked questions" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft 365 Business FAQ</h3>
+                                                    <p>Browse our list of Frequently Asked Questions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-get-started-1.svg" alt="Get started with Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Get started with Microsoft 365 Business</h3>
+                                                    <p>Learn about Microsoft 365 Business, how to purchase it for your customer, and follow the setup instructions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#user-mgmt">User management</a>
+                        <ul id="user-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Manage customers/users in your organization.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-user-management-add-customer-1.svg" alt="Add a new user and assign licenses" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a new customer/user</h3>
+                                                    <p>Onboarding a new user? Use the admin center to add a new user and assign licenses.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-user-management-remove-customer-2.svg" alt="Follow the links to remove a customer/user" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Remove a customer/user</h3>
+                                                    <p>Need to remove a user? You'll need to <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">remove company data from devices</a> and <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">reset Windows 10 devices to their factory settings</a>.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#device-mgmt">Device management</a>
+                        <ul id="device-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Find help on managing your organization's devices from the Microsoft 365 Business admin center.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-prepare-office-1.svg" alt="Prepare for Office client installation" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Prepare for Office client installation</h3>
+                                                    <p>Use Microsoft 365 Business to automatically install the 32-bit Office apps to Windows 10 computers and keep them current with updates.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-install-2.svg" alt="Install or uninstall Office on Windows 10 devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Automatically install or uninstall Office on Windows 10 devices</h3>
+                                                    <p>Find out how to quickly and easily install Office on Windows 10 PCs from the Microsoft 365 Business admin center.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-remove-3.svg" alt="Remove company data from devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Remove company data from devices</h3>
+                                                    <p>Use Microsoft 365 Business to remove company data that your users have installed on their devices.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-reset-windows-4.svg" alt="Reset Windows 10 devices to their factory settings" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Reset Windows 10 devices to their factory settings</h3>
+                                                    <p>Learn how to perform a factory reset to revert a Windows 10 device to its original settings.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#policies">Policies</a>
+                        <ul id="policies" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Configure app management and device policies for your organization.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-policies-set-device-config-1.svg" alt="Set device configurations for Windows 10 PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set device configurations for Windows 10 PCs</h3>
+                                                    <p>Learn how to create, edit, or delete an app management policy in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-policies-view-policies-2.svg" alt="View policies and devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>View policies and devices</h3>
+                                                    <p>Use the Microsoft 365 Business admin center to configure the policies and devices for your organization.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#migration">Migration</a>
+                        <ul id="migration" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>See these articles if you've got a pre-existing setup and you're deploying Microsoft 365 Business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-office-migration-1.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Migrate from another Office 365 SKU to Microsoft 365 Business</h3>
+                                                    <p>Coming soon</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Identity migration</h3>
+                                                    <p>Got on-premises AD and plan to move your organization’s identity management to the cloud? Do a one-time sync using <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">Azure AD Connect</a>, or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-upgrade-2.svg" alt="Upgrade to Windows 10" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Upgrade to Windows 10</h3>
+                                                    <p>Set up Windows 10 PCs for Microsoft 365 Business users.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>                                        
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#troub-support">Troubleshooting and support</a>
+                        <ul id="troub-support" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Looking for help or can't find what you need? Try these resources.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://www.microsoft.com/solution-providers/search">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-find-partner-1.svg" alt="Find a Microsoft-certified service provider" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Find a Partner</h3>
+                                                    <p>Visit the Microsoft Partner Center to locate a Microsoft-certified solution provider who can help you locally or remotely. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-troubleshooting-3.svg" alt="Find solutions for common Microsoft 365 Business issues" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Troubleshoot problems - Coming soon</h3>
+                                                    <p>Find solutions for common Microsoft 365 Business issues.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Technical Support - Coming soon</h3>
+                                                    <p>Submit a technical support request for Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>                           
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#adv-mgmt">Advanced management</a>
+                        <ul id="adv-mgmt" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>See these links for more in-depth information about these products and features.</p>
+                                </div>
+                            </li>
+                            <!--
+                            <li>
+                                <a href="https://docs.microsoft.com/intune">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-intune-1.svg" alt="Microsoft Intune" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Intune</h3>
+                                                    <p>Need to update other policies or take advantage of the full Intune capabilities? </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                            <li>
+                                <a href="https://docs.microsoft.com/windows">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-windows10-2.svg" alt="Learn more about Windows 10" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Windows 10</h3>
+                                                    <p>Learn more about Windows 10.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://msdn.microsoft.com/partner-center/autopilot">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-auto-pilot-3.svg" alt="Use Windows AutoPilot to deploy Windows 10 devices" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up Windows 10 devices using Windows AutoPilot</h3>
+                                                    <p>Deploy Windows 10 devices using Windows AutoPilot from the Partner Center.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a href="#general-admin">General administration</a>
+                        <ul id="general-admin" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Get help on the most common admin tasks in the Microsoft 365 Business admin center. The Microsoft 365 Business admin center is lot like the Office 365 admin center so the admin guidance we provide for Office 365 admin center also apply to Microsoft 365 Business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-add-user-1.svg" alt="Add a user" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a user</h3>
+                                                    <p>Add user accounts in the Microsoft 365 Business admin center so people in your organization can sign in and access Office 365 for business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-add-domain-2.svg" alt="Add a domain and other FAQs about domains" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a domain</h3>
+                                                    <p>See this article to find answers to Frequently Asked Questions about domains in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <!--
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- management-4_placeholder.svg" alt="Manage changes" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Change management</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                            <li>
+                                <a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- add-group-5.svg" alt="Add a group" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Add a group</h3>
+                                                    <p>Create or delete groups, add or remove members in a group, and customize how they work.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-password-3.svg" alt="Manage passwords" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Password management</h3>
+                                                    <p>Learn how to <a href="https://support.office.com/article/5bc3f460-13cc-48c0-abd6-b80bae72d04a">reset passwords</a>, <a href="https://support.office.com/article/0F54736F-EB22-414C-8273-498A0918678F">set the password expiration policy for your organization</a>, and more.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- billing-7.svg" alt="Billing" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Billing</h3>
+                                                    <p>Get admin help with billing in Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- reports-9.svg" alt="Reports" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Reports</h3>
+                                                    <p>Get groups report to see the activity overview across products in your organization.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-settings-8.svg" alt="Settings" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Common management tasks</h3>
+                                                    <p>Check these quick links for the most common admin tasks in Office 365.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Not finding the info that you need? Check out the <a href="https://support.office.com/article/17d3ff3f-3601-466e-b5a1-482b31cfb791" target="_blank">Office 365 Admin Help</a> for more info. </p>
+                                </div>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <a href="#i-worker">Information worker</a>
+                <ul id="i-worker">
+                    <li>
+                        <a data-default="true" href="#i-worker-1">Set up devices</a>
+                        <ul id="i-worker-1" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Employees and other users can follow the guidance here to set up devices.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-iw-devicesetup-setup-1.svg" alt="Set up mobile devices for Microsoft 365 Business users" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up mobile devices for Microsoft 365 Business users</h3>
+                                                    <p>Find out how to install Office on an iPhone or an Android phone. After you follow these steps, your work files created in Office apps will be protected by Microsoft 365 Business.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-iw-devicesetup-move-files-2.svg" alt="Move files to OneDrive for Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Move files to OneDrive for Business</h3>
+                                                    <p>Optional. Use OneDrive for Business or a third-party tool to move files associated with your Windows profile.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-windows10pc-3.svg" alt="Set up Windows 10 PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up Windows 10 PCs</h3>
+                                                    <p>Join your Windows 10 PC to your organization's Azure Active Directory and sync your device to start using your Microsoft 365 Business account.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://support.office.com/article/c654bd23-d256-4ac7-8fba-0c993bf5a771">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management- install-4.svg" alt="Install Windows for Microsoft 365 Business users" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Install Windows for Microsoft 365 Business users</h3>
+                                                    <p>Setting up new PCs? Install Windows for Microsoft 365 Business users.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        <a data-default="true" href="#i-worker-2">Product help</a>
+                        <ul id="i-worker-2" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>When you're using Office or Windows and have a question about how to do something, you can search the product help for info. </p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://support.office.com">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/bcs-information-product-help-office.svg" alt="Office help and training" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Office help and training</h3>
+                                                    <p>Discover everything you need to know about Office products.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="http://support.microsoft.com/products/windows">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/bcs-information-product-help-windows10.svg" alt="Windows help" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Windows 10 help</h3>
+                                                    <p>Get help, how-to, and other info for all things Windows.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+            <li>
+                <a href="#bus-owner">Business owner</a>
+                <ul id="bus-owner">
+                    <li>
+                        <a data-default="true" href="#bus-owner-1">Get started</a>
+                        <ul id="bus-owner-1" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>Learn about Microsoft 365 Business and find out how you can start using it for your business.</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="http://www.microsoft.com/en-us/microsoft-365/business">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-learn-about-1.svg" alt="Learn more about Microsoft 365 Business" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Learn about Microsoft 365 Business</h3>
+                                                    <p>Want to learn more about Microsoft 365 Business and wondering whether it's the right solution for your business? Start here. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="support/microsoft-365-business-faqs.md">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-faq-2.svg" alt="Browse the list of frequently asked questions" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft 365 Business FAQ</h3>
+                                                    <p>Browse our list of Frequently Asked Questions.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.microsoft.com/solution-providers/search">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="images/bcs-partner-advanced-management-find-partner-1.svg" alt="Find a Microsoft-certified service provider" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Find a Partner</h3>
+                                                    <p>Visit the Microsoft Partner Center to locate a Microsoft-certified solution provider who can help you locally or remotely. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                    <!--
+                    <li>
+                        <a data-default="true" href="#bus-owner-2">Placeholder 2</a>
+                        <ul id="bus-owner-2" class="cardsC">
+                            <li class="fullSpan">
+                                <div class="container intro">
+                                    <p>TBD - Introductory text</p>
+                                </div>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/common/placeholder.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Card 1</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="#">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/common/placeholder.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Card 2</h3>
+                                                    <p>tbd</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            -->
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+        </ul>
+    </div>
+</div>
diff --git a/bcs/support/microsoft-365-business-faqs.md b/bcs/support/microsoft-365-business-faqs.md
new file mode 100644
index 0000000000..9626e4deb5
--- /dev/null
+++ b/bcs/support/microsoft-365-business-faqs.md
@@ -0,0 +1,334 @@
+--- 
+title: Microsoft 365 Business Frequently Asked Questions 
+description: Find answers to the most frequently asked questions about Microsoft 365 Business, a new solution designed for small and midsize businesses (SMB). 
+author: CelesteDG 
+ms.author: celested 
+ms.topic: article 
+ms.prod: microsoft-365-business
+ms.localizationpriority: high
+audience: microsoft-business 
+keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
+ms.date: 08/04/2017
+---
+
+# Microsoft 365 Business Frequently Asked Questions
+
+## Introduction
+
+What is Microsoft 365 Business? 
+--------------------------------
+
+Microsoft 365 Business is a new solution designed for small and midsize businesses (SMB), bringing together the best-in-class productivity and collaboration capabilities of Office 365 with device management and security solutions to safeguard business data.
+
+Microsoft 365 Business enables you to:
+
+-   **Create your best with tools like** Word, Excel, PowerPoint, Outlook, OneNote and Access.
+-   **Be productive from anywhere,** with business-class email from Outlook and access to cloud files with OneDrive for Business.
+-   **Conduct online meetings and get instant messaging** with Skype for Business.
+-   **Collaborate in real time with the chat-based workspace** Microsoft Teams.
+-   **Safeguard your business** by enforcing malware protection for Windows devices, with Windows Defender.
+-   **Help protect your data and intellectual property** with App Protection for Office mobile apps on iOS and Android devices, and
+    Mobile Device Management (MDM) for Windows 10 PCs.
+-   **Save time and be protected** with consistent configuration across newly deployed PCs running Windows 10 Business and auto deployment
+    of Office 365 apps, provided by Windows AutoPilot.
+-   **Be secured and always up to date** with Office 365 updates and Windows 10.
+-   **Simply manage technology costs** in one subscription, with simple per user, per month pricing.
+
+Where can I find out more about Microsoft 365 Business? 
+--------------------------------------------------------
+
+Customers and partners can visit [http://www.microsoft.com/microsoft-365/business](http://www.microsoft.com/microsoft-365/business) where they can sign up to see a demo of Microsoft 365 Business in
+action. The preview will be accessible from the web site on August 2, 2017.
+
+Who should consider adopting Microsoft 365 Business? 
+-----------------------------------------------------
+
+Microsoft 365 Business was built for small and midsize customers that have little to no IT resources on staff and want best-in-class productivity and collaboration capabilities of Office 365 together with
+device management and security solutions that safeguard business data.
+
+How can I get Microsoft 365 Business for my business? 
+------------------------------------------------------
+
+Microsoft 365 Business may be purchased through a [Microsoft Partner](https://partnercenter.microsoft.com/en-us/pcv/search) or directly from
+[Microsoft](http://www.microsoft.com/microsoft-365/business). In choosing whether to purchase directly from Microsoft or via a Microsoft Partner, you should consider your on-staff capability and desire to
+maintain an IT infrastructure. A Microsoft Partner can help you deploy and manage your IT infrastructure including Microsoft solutions.
+
+How much will Microsoft 365 Business cost? 
+-------------------------------------------
+
+Microsoft 365 Business will be offered at USD\$20.00/mo./user based on an annual contract if purchased directly from Microsoft. When purchased through a Microsoft Partner, pricing can vary based on the services the
+partner provides and their pricing model for Microsoft 365 Business. There are no planned pricing discounts for government, education or non-profit organizations.
+
+How are customers billed for Microsoft 365 Business subscriptions? 
+-------------------------------------------------------------------
+
+When Microsoft 365 Business is purchased via a Microsoft Partner, the bill will come from that Partner and may include additional products and services outside of the subscription pricing. When purchased directly
+from Microsoft, the customer is billed by Microsoft.
+
+Is there a cap to how many Microsoft 365 Business seats a customer can have? 
+-----------------------------------------------------------------------------
+
+Microsoft 365 Business was designed for small to medium sized businesses with low to medium IT complexity requirements. Customers may purchase up to 300 Microsoft 365 Business licenses for their organization. Depending
+on their organization’s IT requirements, they may add Microsoft 365 Enterprise licenses to the same environment.
+
+When considering an environment consisting of multiple subscription types, customers should work with their trusted IT advisors to determine how best to manage and secure the various subscriptions as Microsoft 365
+Business and Microsoft 365 Enterprise use different capabilities to secure and manage applications and data.
+
+Can I combine Microsoft 365 Business with other Microsoft subscription offerings? 
+----------------------------------------------------------------------------------
+
+Yes, customers can combine their Microsoft 365 Business subscriptions with plans and add-ons from Azure, Dynamics and Office 365.
+
+Does everyone in my business required to have a Microsoft 365 Business subscription? 
+-------------------------------------------------------------------------------------
+
+No, not everyone needs a Microsoft 365 Business subscription, although the security and management benefits are available only to those users with devices managed with a Microsoft 365 Business subscription.
+
+Standardizing an IT environment serves to help reduce maintenance and security costs over time and is a state that businesses should strive to attain. However, we recognize that some small and medium size customers
+update their software primarily when they upgrade their hardware, over an extended period of time. Businesses can deploy Microsoft 365 Business to part of their organization, but for best protection of sensitive
+business data and consistent collaboration experiences, deployment to all users is recommended.
+
+How can I know if the hardware and software I run today is compatible with Microsoft 365 Business? 
+---------------------------------------------------------------------------------------------------
+
+If the hardware you run today runs Windows 7 Professional or later, it likely meets the minimum requirements for Microsoft 365 Business.
+Certain Windows 10 features such as Cortana, Windows Hello and multi-touch require specific hardware that is only available on newer PCs. See the [Windows 10 Pro system
+requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) for additional details.
+
+Existing desktop (Win32) application compatibility is strong in Windows 10, with most existing applications working without any changes. Customers and their trusted IT advisors should read the recommended
+application testing process for [Windows 10 compatibility](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-compatibility#recommended-application-testing-process)
+and review the [Office system requirements](https://products.office.com/en-us/office-system-requirements#subscription-plans-section) to ensure a smooth transition to Microsoft 365 Business.
+
+What is Windows 10 Business? 
+-----------------------------
+
+Windows 10 Business is a set of cloud-services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business. Windows 10 Business also comes with Windows AutoPilot, a service that streamlines the deployment of new Windows 10 PCs. If you have devices that are licensed for Windows 7, 8 and 8.1 Professional, Microsoft 365 Business provides an upgrade to Windows 10 Pro which is the prerequisite for deploying Windows 10 Business.
+
+How does Microsoft 365 Business help support my company’s Bring Your Own Device (BYOD) policy? 
+-----------------------------------------------------------------------------------------------
+
+Many employees prefer to use their own mobile phones or tablets to access personal and work information rather than carrying multiple devices for each purpose. The use of personal devices for work, while commonplace, increases the risk that business information could end up in the wrong hands. Many competing mobile data protection solutions require users to switch to a specific mode on their device or use another complex mechanism that users may find intrusive and therefore avoid using.
+
+Microsoft 365 Business offers customers a simple but powerful means of enabling employees to use their personal devices for work while providing the business with the ability to prevent those devices from accessing, retaining and/or sharing business information. More specifically:
+
+-   **App Protection for Office mobile** helps **apps** protect Office data, including email, calendar, contacts, and documents on iOS and Android mobile devices, by enforcing policies such as automatically deleting business data after a prescribed amount of time of not connecting to the service, requiring that information is stored only to OneDrive for Business, requiring a PIN/fingerprint verification to access Office apps, and preventing company data from being copied from an Office app into personal apps.
+-   **Mobile Device Management** (MDM) for Windows 10 devices allows businesses to choose to set and enforce capabilities such as Windows Defender protection for malware, automatic updates, and turning off screens after a prescribed amount of time. In addition, lost or stolen Windows 10 devices can be completely wiped of business applications and data through the Admin center.
+
+How does Microsoft 365 Business help protect PCs in my organization from malicious attacks? 
+--------------------------------------------------------------------------------------------
+
+PCs managed with Microsoft 365 Business are protected with Windows Defender, which is the No. 1 antivirus feature on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than
+any other solution. With Microsoft 365 Business, businesses can ensure Windows Defender protection is running and always up to date on all their Windows 10 devices.
+
+### What's the difference between Office 365 Business Premium, Microsoft 365 Business and Microsoft 365 Enterprise? 
+
+Microsoft has a variety of productivity and security management offerings that small to medium-sized customers may consider when upgrading their desktop and device infrastructure, each bringing increasingly powerful features and functionality.
+
+**Office 365 Business Premium** delivers best-in-class productivity with Office 365 apps and services but does not include the application protection and device management capabilities of Microsoft 365 Business.
+
+**Microsoft 365 Business** combines Office 365 apps and services with mobile application management and Windows 10 Pro to enable remote management and help protect devices against viruses and malware. It includes a simplified management console through which device and data policies may be administered. Many small to midsize businesses can be best served with Microsoft 365 Business, although those in highly regulated industries may require more advanced functionality provided by Microsoft 365 Enterprise plans (E3 and E5).
+
+**Microsoft 365 Enterprise** is a set of licensing plans that offer increased levels of mobility and security management over Microsoft 365 Business and are designed for enterprise customers and those customers that are required or regulated to provide the highest level of protection for their data. In addition, Microsoft 365 Business plans provide additional functionality including business intelligence and analytics tools.
+
+Can I switch my Office 365 plan to Microsoft 365 Business? 
+-----------------------------------------------------------
+
+Yes, customers may switch their plans from a qualifying Office 365 plan to Microsoft 365 Business is generally available. Depending on the customer’s current plan there may be a decrease or increase in monthly charges.
+
+In what regions will Microsoft 365 Business be available? 
+----------------------------------------------------------
+
+The Microsoft 365 Business will be available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
+
+## Public Preview 
+
+Who has access to the Microsoft 365 Business preview? 
+------------------------------------------------------
+
+The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
+
+I’m an existing Office 365 customer. Can I access the Microsoft 365 Business preview? 
+-------------------------------------------------------------------------------------
+
+Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
+
+When will Microsoft 365 Business preview be available? 
+-------------------------------------------------------
+
+The Microsoft 365 Business preview will be available starting on August 2, 2017.
+
+In what regions is the Microsoft 365 Business preview available? 
+-----------------------------------------------------------------
+
+The Microsoft 365 Business preview is available to all partners and customers where Office 365 is available. [See the list of Office 365 international availability for languages, countries and regions](https://products.office.com/en-us/business/international-availability).
+
+When will Microsoft 365 Business be generally available? 
+---------------------------------------------------------
+
+Microsoft 365 Business is expected to be generally available toward the end of the calendar year.
+
+Is there a limit to how many users can experience the preview? 
+---------------------------------------------------------------
+
+Each organization can up to 300 users on Microsoft 365 Business during the preview.
+
+What should customers and partners know before running Microsoft 365 Business within their organization? 
+---------------------------------------------------------------------------------------------------------
+
+Customers that wish to experience the complete capabilities of Microsoft 365 Business must be running Windows 7, 8.1 or 10 Pro\* on their existing desktops. Customers who use on-premises Active Directory must switch to cloud identity and management as part of their deployment. Existing Windows 10 Pro PCs should be running Creators Update if they have not already done so.
+
+\*Devices running Windows 7 or 8.1 Pro are eligible for an upgrade to
+Windows 10 Pro within the Microsoft 365 Business preview.
+
+Is there any charge for the Microsoft 365 Business preview? 
+------------------------------------------------------------
+
+No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
+
+I’m an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
+------------------------------------------------------------------------------------------------------------------------------------------
+
+The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
+
+What is the best way to deploy Microsoft 365 Business in my organization? 
+--------------------------------------------------------------------------
+
+Partner-assisted deployment is the recommended way to deploy Microsoft 365 Business preview. Contact your Microsoft Partner and ask them if they are participating in the Microsoft 365 Business Preview Trial. Your Partner is well-equipped to help customers understand their options and make the best recommendations for deploying Microsoft 365 Business preview in your organization.
+
+If you do not have a Microsoft partner, you can find one [here](https://partnercenter.microsoft.com/en-us/pcv/search).
+
+## Deployment 
+
+What should customers consider when planning a Microsoft 365 Business deployment? 
+----------------------------------------------------------------------------------
+
+The most direct path to a successful Microsoft 365 Business deployment is to engage with a Microsoft Partner. They have extensive training and experience with a wide variety of customer scenarios and are best equipped to understand your environment and needs. Customers that have experienced IT on staff can use the [Microsoft 365 Business Getting Started](https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364) to assist them in their Microsoft 365 Business deployment.
+
+Does Microsoft 365 Business include the full capabilities of Microsoft Intune? 
+-------------------------------------------------------------------------------
+
+Microsoft 365 Business includes a robust set of mobile app management capabilities powered by Microsoft Intune. These are a subset of Intune features, specifically chosen to meet the needs of SMBs and organized to be easily managed via a simplified administration experience. If a company requires the full capabilities of Intune, they can purchase a Microsoft 365 Enterprise plan.
+
+Does Microsoft 365 Business allow customers to manage Macs? 
+------------------------------------------------------------
+
+The security and management capabilities of Microsoft 365 Business pertain to iOS, Android mobile devices, and Windows PCs.
+
+What is Windows AutoPilot? 
+---------------------------
+
+Windows AutoPilot is a service that streamlines the deployment of new Windows 10 PCs. This process can be done when the end-user logs on to Microsoft 365 Business for the first time— without IT ever touching the device—by leveraging centralized management controls of Microsoft 365 Business. You can also use Windows AutoPilot for existing PCs that are running Windows 10 Professional Creators Update and have been factory reset. Details about Windows AutoPilot can be found in [this June blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-AutoPilot/).
+
+## Compatibility 
+
+Can I add Office 365 E5 add-ons to Microsoft 365 Business? 
+-----------------------------------------------------------
+
+All the add-ons that can be added to Office 365 Business Premium can be added to Microsoft 365 Business. This means that you can purchase Advanced Threat Protection, Advanced Security Management, Customer Lockbox, Advanced eDiscovery, MyAnalytics, PowerBI Pro, and PSTN Conferencing.
+
+Can I add Cloud PBX and PSTN Calling plans to Microsoft 365 Business? 
+----------------------------------------------------------------------
+
+At this time, these capabilities are reserved for customers who have more advanced needs. Customers who require Cloud PBX or PSTN Calling plans should look at Microsoft 365 Enterprise offerings.
+
+Can I use add on Archiving or additional storage to Microsoft 365 Business? 
+----------------------------------------------------------------------------
+
+Yes, you can add on additional archiving or storage to Microsoft 365 Business.
+
+Can Microsoft 365 Business customers use Windows Defender Advanced Threat Protection? 
+--------------------------------------------------------------------------------------
+
+No, customers that require Windows Defender Advanced Threat Protection need either Windows 10 Enterprise E5 or Microsoft 365 Enterprise E5.
+
+Can I use Windows Information Protection with Microsoft 365 Business? 
+----------------------------------------------------------------------
+
+Yes, Windows Information Protection (WIP) is a feature of Windows 10 Pro and helps businesses prevent accidental leaks by restricting user and app access to business files based on policies you define. Your business data is protected no matter where it lives on your devices—without affecting your user experience. Microsoft 365 Business includes controls to ensure Windows Information Protection is properly configured and automatically deployed to end-user devices.
+
+Can customers use Microsoft 365 Business with on-premises Active Directory? 
+----------------------------------------------------------------------------
+
+To realize the full value of Windows 10, Windows 10 PCs need to be joined to Azure Active Directory. You may use Microsoft 365 Business with Windows 10 devices
+joined to on-premises Active Directory but it is not recommended because you won’t be able to enforce policies from the Microsoft 365 Business Admin console.
+
+Can customers create hosted Windows 10 VMs with a Microsoft 365 Business subscription? 
+---------------------------------------------------------------------------------------
+
+No, customers that require virtualization should purchase Windows 10 Enterprise or a Microsoft 365 Enterprise subscription.
+
+## Partner Opportunity 
+
+Where can I learn more about the opportunities and benefits in becoming a Microsoft Partner? 
+---------------------------------------------------------------------------------------------
+
+IT service providers that are not already Microsoft partners can learn more about the Microsoft Cloud Solution Provider program at
+[https://partner.microsoft.com/cloud-solution-provider](https://partner.microsoft.com/cloud-solution-provider).
+
+Where can I learn how to sell Microsoft 365 Business? 
+------------------------------------------------------
+
+Partners now selling Office 365 can use the same consultative selling methods to sell Microsoft 365 Business. In addition, we are introducing resources and training for your sales team to understand the customers’ existing desktop environment, Active Directory reliance, mobility and security needs to effectively communicate the full value of Microsoft 365 Business in a way that is relevant to the customer. Find these resources on the Office Partner portal at
+[http://partners.office.com](http://partners.office.com/).
+
+How can Microsoft 365 Business help partners increase the profitability? 
+-------------------------------------------------------------------------
+
+Microsoft 365 Business will help partners reduce costs through greater operational efficiencies and enhance revenue through the sale of additional services. The Forrester Research, Microsoft 365 Business Total Economic Impact (TEI) Study, June 2017 [(available on the partner portal)](http://partners.office.com/), demonstrates that Microsoft 365 Business will have positive impact on partner profitability.
+
+In the TEI study partners reported that with Microsoft 365 Business they
+expect:
+
+-   20%-point increase in \[one-time\] deployment and advisory services revenue
+-   10%-point increase in attach rate of managed services
+-   8%-point increase in consulting and \[ongoing\] managed services profit margins (from lower costs)
+
+What resources are available to partners to sell, deploy and support Microsoft 365 Business?
+
+Microsoft provides a wide selection of resources for CSP partners to market, sell, and support Microsoft 365 Business. They can be found at
+[http://partners.office.com](http://partners.office.com/).
+
+What up-sell opportunities does Microsoft 365 Business give partners? 
+----------------------------------------------------------------------
+
+Microsoft 365 Business allows partners to maintain their trusted advisor position with customers, by creating a solid and secure platform upon which to sell additional services, or upgrade existing products and services. Microsoft 365 Business provides an opportunity to have an upgrade discussion with customers now using Exchange Server, Exchange Online or Office 365 Business Essentials. Partners may also gain additional revenue from increased managed services and/or per-user
+support fees.
+
+With the new Windows AutoPilot feature included in Microsoft 365 Business, partners who have been reluctant to sell new Windows devices due to deployment logistics and costs may now find this opportunity much more attractive. Customers who are confident in the security of their onpremise and mobile devices are also more likely to invest in additional services, such as Dynamics 365.
+
+Should partners sell Microsoft 365 Business over other plans from Microsoft? 
+-----------------------------------------------------------------------------
+
+A Microsoft Cloud Solution Provider should always sell the plan that best suits its customer business needs and budget. For example, if a customer must comply with privacy and security regulations, a CSP may sell Microsoft 365 Business plus any add-ons that help the customer meet its requirements or may suggest the advanced security and management provided by Microsoft 365 Business E SKUs.
+
+I have devices that are not genuine; will Microsoft 365 Business make my devices genuine? 
+------------------------------------------------------------------------------------------
+
+No, Microsoft 365 Business does not make an otherwise non-genuine version of Windows, genuine. Microsoft 365 Business does provide an upgrade benefit allowing those customers running genuine Windows 7, 8 or 8.1 Pro to upgrade to the most recent, genuine version of Windows 10 Pro.
+
+How do partners make any money offering the Microsoft 365 Business preview to their customers? 
+-----------------------------------------------------------------------------------------------
+
+Partners can realize revenue opportunities by deploying Microsoft 365 Business preview and providing other managed services that support the solution.
+
+What is the exact name of the Microsoft 365 Business preview SKU and when will it be available? 
+------------------------------------------------------------------------------------------------
+
+The Microsoft 365 Business preview is called the Microsoft 365 Business Preview Trial and will be on August 2 CSP Price List.
+
+How can I convert a preview customer subscription to Microsoft 365 Business when it is generally available? 
+------------------------------------------------------------------------------------------------------------
+
+We will provide more information on converting Microsoft 365 Business preview customers to subscribers later.
+
+What support is available to CSP partners for the Microsoft 365 Business Preview? 
+----------------------------------------------------------------------------------
+
+The same support channels available to CSP partners today (premier support and advanced support program) have been trained on Microsoft 365
+Business and are ready to provide partners with support.
+
+What is the GDPR and how does Microsoft 365 Business help customers with their compliance obligations? 
+-------------------------------------------------------------------------------------------------------
+
+The General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” and requires organizations to maintain the integrity of that personal data. The GDPR requires organizations that control, or process personal data tied to EU residents to only use third-party data processors that meet the GDPR’s requirements for personal data processing. In March 2017, Microsoft made
+available contractual guarantees that provide these assurances. Customers who have questions about how Microsoft can help them meet their additional GDPR obligations should learn about the advanced compliance and security capabilities available as add-ons (e.g. Azure Information Protection) and in other Suites (e.g. Microsoft 365 Enterprise E5). To learn more, visit [www.microsoft.com/gdpr](http://www.microsoft.com/gdpr).
\ No newline at end of file
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index c0e8ff73af..4188a5ce94 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: general
 ms.sitesec: library
 title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Edge - Deployment Guide for IT Pros
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index c62e0d7b6a..097833b6a3 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
 title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@@ -656,7 +656,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U
 ### ClearBrowsingDataOnExit
 - **Supported versions:** Windows 10, version 1703
 
-- **Supported devices:** Both
+- **Supported devices:** Desktop
 
 - **Details:**
 
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 0ce06c2d4f..e3c6a0b2d7 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -4,7 +4,7 @@ description: This topic lists new and updated topics in the Microsoft Edge docum
 ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Change history for Microsoft Edge
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
index 1f3cf5ea43..4889826de3 100644
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ b/browsers/edge/emie-to-improve-compatibility.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use Enterprise Mode to improve compatibility
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 25a4a724e7..8cb8912f67 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -6,7 +6,7 @@ ms.prod: edge
 ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Browser: Microsoft Edge and Internet Explorer 11
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
index d423c37bd4..86a1452f93 100644
--- a/browsers/edge/hardware-and-software-requirements.md
+++ b/browsers/edge/hardware-and-software-requirements.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: support
 ms.sitesec: library
 ms.pagetype: appcompat
 title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Edge requirements and language support
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 17ac7d1722..3a25ecae1e 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -5,7 +5,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Security enhancements for Microsoft Edge
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index 11347ac764..4354799a3d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: How to use Group Policy to install ActiveX controls.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
index 0f99fc6a7b..ef4614e5b5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to add employees to the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
index 9660d3d146..47e96aaed6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can add multiple sites to your Enterprise Mode site list by creating a custom text (TXT) or Extensible Markup Language (XML) file of problematic sites and then adding it in the Bulk add from file area of the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
index 327a105fef..6c4f7048d3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Add multiple sites to your Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
index 1140d08486..46952fd95a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that's designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 3ee1358e16..0e8d8237e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that''s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 137b689b2f..a88856b77f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Administrative templates and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
index 0b6cee7d40..8c0981e62e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index 3ab6081d7c..4dd48ddc84 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto configuration and auto proxy problems with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 5b02b0d37f..4eca33dad5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto configuration settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index c454b9eb42..9ac1090d30 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto detect settings Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index a9ac089edf..4fc46f4332 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: networking
 description: Auto proxy configuration settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 36de09f8ce..b0262d2a24 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: performance
 description: Browser cache changes and roaming profiles
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index aab097bf2f..c97e0694da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
index 846ede6863..b79f14ce2b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
index ccf72489f1..afc154053d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Choose how to deploy Internet Explorer 11 (IE11)
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 9c4a55c2bd..82329fbc99 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Choose how to install Internet Explorer 11 (IE11)
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index d4e3ae973c..d253c6156f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
index 0c2fcabf27..f2e96ee768 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index dee66ac9d8..94d579eef2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to create a change request within the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
index 51f61a1b66..7766c1a797 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Create packages for multiple operating systems or languages
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 7a8162ee05..50a6b4da46 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Customize Internet Explorer 11 installation packages
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 267c606f8b..6407c0ac49 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 description: Delete a single site from your global Enterprise Mode site list.
 ms.pagetype: appcompat
 ms.mktglfcycl: deploy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
index 846a265850..147018d84a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: You can deploy Internet Explorer 11 to your users' computers by using your custom browser packages and Automatic Version Synchronization (AVS).
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 6654729ec6..7b2497adb5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Deploy Internet Explorer 11 using software distribution tools
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 708fccaaa2..284c39cf4a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index e624e6db2e..4b095c080f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Windows Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
index 004a42cb19..3fbdaa6e0f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can use Internet Explorer 11 and the Enterprise Mode Site List Manager to change whether page rendering should use Enterprise Mode or the default Internet Explorer browser configuration. You can also add, remove, or delete associated comments.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
index 68b09c2320..42b9794117 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Enable and disable add-ons using administrative templates and group policy
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 971612c41b..b94efcee8d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Enhanced Protected Mode problems with Internet Explorer
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
index 1d96ecb7cf..fc72177321 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 16c87cb775..f1ef88dc96 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 7 or Windows 8.1 Update.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 5c003a24c1..b91676a518 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the Enterprise Mode Site List Manager to create and update your Enterprise Mode site list for devices running Windows 10.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index 6cbc411a30..58dccc1956 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index c8d09c6157..2c2394be4a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: The Internet Explorer 11 Enterprise Mode site list lets you specify document modes for specific websites, helping you fix compatibility issues without changing a single line of code on the site.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
index cb34e15ac9..cd6d84a04f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: When you add multiple sites to your Enterprise Mode site list entries, they’re validated by the Enterprise Mode Site List Manager before they’re entered into your global list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index eed0b6ac55..098689f0fc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about Group Policy, Advanced Group Policy Management (AGPM), and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index 2a7f645030..8aca2f5360 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index c7f5e51beb..f2ef7bb7bd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use the topics in this section to learn about Group Policy and how to use it to manage Internet Explorer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index 4e9b26b3fc..6f5e1b4a4e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Group Policy, the Local Group Policy Editor, and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
index 763f3e3eec..54bb62092b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-compatability-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Group Policy suggestions for compatibility with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 37e54ed67e..1c208097c9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview of the available Group Policy management tools
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
index 4d460e76ab..680bd630f4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Info about Group Policy preferences versus Group Policy settings
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 037d8a5da7..ec141c7c9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Links to troubleshooting topics and log files that can help address Group Policy problems with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index f30e991051..f757093789 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Instructions about how to create and configure shortcut preference extensions to file system objects, URLs, and shell objects.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index c44db29784..ccf390f9e1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index a896a41f84..921273e4e7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index 4a37a95e9a..4f7924e1da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -6,7 +6,7 @@ ms.prod: ie11
 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index c75819476b..a6ba3a7bb6 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 94b6be9b40..17ac01f346 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index 63cbd88f37..6281115099 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Microsoft Deployment Toolkit (MDT) and your Windows images.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 8a65258e74..783308e29a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index 7c9f00ad35..bd7c36ded8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using your network
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
index bc3474ac70..4f2f21d001 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using third-party tools and command-line options.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index a06e7ae728..c7ea390ba5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to install the Internet Explorer 11 update using Windows Server Update Services (WSUS)'
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 0469d85cb3..3cefac76d0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to fix potential installation problems with Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
index c3ddb1943c..815918068a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to fix intranet search problems with Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 8f73d5b3da..a50b6b626c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for Internet Explorer.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index 3964c4c779..e9b77343c8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: IEM-configured settings have been deprecated for Internet Explorer 10 and newer. Use this topic to learn where to go to fix the affected settings through Group Policy Preferences, Administrative Templates (.admx), or the IEAK.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index d25450aae1..48920354dc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
index 75d0ad1469..b346d9663e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: How to turn managed browser hosting controls back on in Internet Explorer 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 54b1f1eb74..549d485a7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: New group policy settings for Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 04b5f82c88..812ea91600 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use out-of-date ActiveX control blocking to help you know when IE prevents a webpage from loading outdated ActiveX controls and to update the outdated control, so that it’s safer to use.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 8a1618533a..9eb372320e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 72143e9cb1..006b713c0d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to clear all of the sites from your global Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index cf988c785a..281568ca5a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local compatibility view list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
index 9712b3448d..58d4be5197 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
index c13d249a8a..173cc8e6ae 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: You can save your current Enterprise Mode compatibility site list as an XML file, for distribution and use by your managed systems.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 6d4ae0d626..f2e75998a0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index a26554c11b..88a167124d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Search to see if a specific site already appears in your global Enterprise Mode site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 66d13bed09..734c2d3528 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 32d0ba628a..4090e6204f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Set up and turn on Enterprise Mode logging and data collection in your organization.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index e23bce2182..589b6569fd 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
index 455a3aa91f..4a466fb09f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/setup-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 ms.pagetype: appcompat
 description: Reviewing log files to learn more about potential setup problems with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 752fb6e58a..dde74d8390 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Lists the minimum system requirements and supported languages for Internet Explorer 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
index 7dec9d7851..48b4ca2166 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/troubleshoot-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with Internet Explorer.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index cd25d1df05..3547f5a51e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to turn Enteprrise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 49f803662c..24332033a5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Turn off natural metrics for Internet Explorer 11
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index ef3ed29d52..41c029dc92 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to turn on Enterprise Mode and specify a site list.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 04edbdc3b7..32e4dc1a7b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Turn on local user control and logging for Enterprise Mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index af1ea520b4..b3d5c7bda5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: High-level info about some of the new and updated features for Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
index a478fd9557..55e577f222 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
index 06a50bf079..35f92c7b1c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Manager.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index 86929579b2..2a1c9fc1fe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Info about where features went in the IEAK11, where the Favorites, Command, and Status bars went, and where the search bar went.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
index 2a51d2abad..3eec3b0b6b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use this section to learn about how to turn on and use IE7 Enterprise Mode or IE8 Enterprise Mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
index ba9ab11557..2fefd87543 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use IEAK 11 while planning, customizing, and building the custom installation package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 7e15a06d41..e0f6bb66c8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use Setup Information (.inf) files to create installation packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index ad7ff7fb3e..3d375dbc9e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
index 9b17b1c55d..c0eb8995ed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
index 90be9b01af..6408a81893 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
index 39742890ba..19789bc48b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index bcf1dc7226..bfd4682de3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: virtualization
 description: Virtualization and compatibility with Internet Explorer 11
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index f803185980..57ef5c82da 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Info about the features included in Enterprise Mode with Internet Explorer 11.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 443fee4ab1..570bd3b72b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 ms.pagetype: security
 description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
index 6c23ee0748..f0e1333a10 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 384f432713..86092448c2 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: explore
 description: Frequently asked questions about Internet Explorer 11 for IT Pros
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
index e44077d74d..dc8a3b1dd6 100644
--- a/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/accelerators-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Accelerators page in the IEAK 11 Customization Wizard to add accelerators to employee devices.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
index 0a2f864dce..70d6fb8c90 100644
--- a/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/add-and-approve-activex-controls-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use IEAK 11 to add and approve ActiveX controls for your organization.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
index 1ed9bf67b0..1d2860516a 100644
--- a/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/add-root-certificate-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: We’re sorry. While we continue to recommend that you digitally sign your package, we’ve removed all of the functionality that allowed you to add a root certificate using the Internet Explorer Customization Wizard 11. The wizard page itself will be removed in a future version of the IEAK.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
index f8749f2d50..8556b6edd2 100644
--- a/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/additional-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Additional Settings page in IEAK 11 Customization Wizard for additional settings that relate to your employee’s desktop, operating system, and security.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
index 2147e5ba34..b17332600a 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Automatic Configuration page in the IEAK 11 Customization Wizard to add URLs to auto-configure IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 16ee9d90bb..6c653f08fc 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to set up automatic detection for DHCP or DNS servers using IEAK 11 in your organization.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
index a348c82fd6..c8ad903c3a 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-version-sync-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Automatic Version Synchronization page in the IEAK 11 Customization Wizard to download the IE11 Setup file each time you run the Wizard.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
index 9c66fd3777..c25d42016e 100644
--- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: A list of steps to follow before you start to create your custom browser installation packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
index ecbaa2500e..279fa2b311 100644
--- a/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/branding-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Branding\] .INS file setting to set up your custom branding and setup info in your browser install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index de3cd4ccb5..1862eda60d 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Browser User Interface page in the IEAK 11 Customization Wizard to change the toolbar buttons and the title bar.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
index f11633eec9..e06625af10 100644
--- a/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/browsertoolbars-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[BrowserToolbars\] .INS file setting to customize your Internet Explorer toolbar and buttons.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
index 3f600fbdde..d3d191860d 100644
--- a/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browsing-options-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Browsing Options page in the IEAK 11 Customization Wizard to manage items in the Favorites, Favorites Bar, and Feeds section.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
index 1ea07d8c49..0ae82866c4 100644
--- a/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/cabsigning-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[CabSigning\] .INS file setting to customize the digital signature info for your apps.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
index 26271c2666..12383d14d1 100644
--- a/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/compat-view-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: We’re sorry. We’ve removed all of the functionality included on the **Compatibility View** page of the Internet Explorer Customization Wizard 11.
diff --git a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
index 0775380c68..2f256e9354 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-mgr-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: We’re sorry. We’ve removed all of the functionality included on the **Connection Manager** page of the Internet Explorer Customization Wizard 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index ffc214c941..a2eaa01f8f 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Connection Settings page in IEAK 11 Customization Wizard to import and preset connection settings on your employee’s computers.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
index 76e9f16992..cad1e630c5 100644
--- a/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/connectionsettings-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[ConnectionSettings\] .INS file setting to specify the network connection settings needed to install your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
index 7b502d02d9..142e588090 100644
--- a/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-build-folder-structure-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: How to create your folder structure on the computer that you’ll use to build your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
index db345fee37..0a455e71be 100644
--- a/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review this list of tasks and references before you create and deploy your Internet Explorer 11 custom install packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
index 947b9febe9..8657bcb1fb 100644
--- a/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/create-multiple-browser-packages-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Steps to create multiple versions of your custom browser if you support more than 1 version of Windows, more than 1 language, or have different features in each package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
index 1715dfaa58..90ad44025b 100644
--- a/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+++ b/browsers/internet-explorer/ie11-ieak/create-uninstall-inf-files-for-custom-components.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use Setup information (.inf) files to uninstall custom components from your custom browser packages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
index 86c289b22d..baa1c3fc79 100644
--- a/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/custom-components-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Custom Components page in the IEAK 11 Customization Wizard to add additional components for your employees to install with IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index 78c4f245a3..5ea1931ea9 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Use the \[CustomBranding\] .INS file setting to specify the location of your branding cabinet (.cab) file.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 7f915b87aa..68231a4a67 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: manage
 description: Customize Automatic Search in Internet Explorer so that your employees can type a single word into the Address box to search for frequently used pages.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
index ae010258c3..6b5cfadd74 100644
--- a/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/extreginf-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[ExtRegInf\] .INS file setting to specify your Setup information (.inf) files and the installation mode for your custom components.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
index 44dcbe0155..41b6867002 100644
--- a/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Favorites, Favorites Bar, and Feeds page in IEAK 11 Customization Wizard to add links, web slices, and feeds to your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
index 51042e42b8..a3a9197a05 100644
--- a/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/favoritesex-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[FavoritesEx\] .INS file setting to specify your Favorites icon file, whether Favorites is available offline, and your Favorites URLs.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
index f7861e2e5c..a842d3aea4 100644
--- a/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/feature-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Feature Selection page in the IEAK 11 Customization Wizard to choose which parts of the setup processes and Internet Explorer 11 to change for your company.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
index 548ad0016d..6192ecb053 100644
--- a/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/file-locations-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the File Locations page in the IEAK 11 Customization Wizard to change the location of your install package and IE11 folders.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
index 5c4deb0b5d..b77750a229 100644
--- a/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/file-types-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review the file types that are created and used by tools in the Internet Explorer Administration Kit 11 (IEAK 11).
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
index 27fc79e06b..3ce8f21b44 100644
--- a/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the First Run Wizard and Welcome Page Options page in the IEAK 11 Customization Wizard to set what your employee’s see the first time they log on to IE, based on their operating system.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
index ec2a66bc57..2bd9a5b5e4 100644
--- a/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Customization guidelines for your Internet Explorer toolbar button and Favorites List icons.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
index 8d43bef26a..e778a8a516 100644
--- a/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/hardware-and-software-reqs-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: List of supported hardware and software requirements for Internet Explorer 11 and the Internet Explorer Administration Kit 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 753268c6b2..d9fabda403 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[HideCustom\] .INS file setting to decide whether to hide the GUID for each custom component.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
index f1a75a85d0..4a41872c22 100644
--- a/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+++ b/browsers/internet-explorer/ie11-ieak/ie-setup-command-line-options-and-return-codes.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Reference about the command-line options and return codes for Internet Explorer Setup.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
index db66d6f706..2dec226b06 100644
--- a/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
+++ b/browsers/internet-explorer/ie11-ieak/ieak11-wizard-custom-options.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Review the options available to help you customize your browser install packages for deployment to your employee's devices.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index 13fff054c3..2c1d2a51c8 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Reference about the command-line options for the IExpress Wizard.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
index a863e88fd8..e419776ec7 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-wizard-for-win-server.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the IExpress Wizard on Windows Server 2008 R2 with SP1 to create self-extracting files to run your custom Internet Explorer Setup program.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
index 74acabee72..9a7f220abd 100644
--- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Important URLs - Home Page and Support page in the IEAK 11 Customization Wizard to choose one or more **Home** pages and an online support page for your customized version of IE.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 00b9d78815..2bfdfbfdd9 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -6,7 +6,7 @@ ms.prod: ie11
 ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
 title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
index 22e16c2e81..774836dae6 100644
--- a/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/internal-install-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Internal Install page in the IEAK 11 Customization Wizard to customize Setup for the default browser and the latest browser updates.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
index 01f34bb4f1..0523806f11 100644
--- a/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/isp-security-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[ISP_Security\] .INS file setting to add the root certificate for your custom Internet Explorer package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
index 625df35a75..09392580d3 100644
--- a/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/language-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Language Selection page in the IEAK 11 Customization Wizard to choose the lanaguage for your IEAK 11 custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 87187bf8c3..8bb63453c9 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about which version of the IEAK 11 you should run, based on your license agreement.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
index 0a11cced95..c1ff2be4c5 100644
--- a/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/media-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Media\] .INS file setting to specify the types of media on which your custom install package is available.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
index 83b0d79dd5..e853869555 100644
--- a/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/pkg-type-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Package Type Selection page in the IEAK 11 Customization Wizard to pick the media type you’ll use to distribute your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
index 0edf5578ef..ff41cfb4b4 100644
--- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
index 5b0a24fd55..a950b3c6a3 100644
--- a/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/prep-network-install-with-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about what you need to do before you deploy your custom browser package using IEAK 11 over your network.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
index 5cc0312c67..0bcdc1f6c3 100644
--- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
index fbd10a4080..a921199911 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Learn about how to use a proxy auto-configuration (.pac) file to specify an automatic proxy URL.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
index eb04586dcd..bea9403375 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Proxy\] .INS file setting to define whether to use a proxy server.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
index 3a1e0162be..d2052087ce 100644
--- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Proxy Settings page in the IEAK 11 Customization Wizard to pick the proxy servers used to connect to required services.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
index 1a490542ed..45a27ee082 100644
--- a/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/register-uninstall-app-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Learn how to register an uninstall app for your custom components, using IEAK 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
index c8c82c121b..8cc3bcd310 100644
--- a/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: manage
 description: Learn how to use the Resultant Set of Policy (RSoP) snap-in to view your policy settings.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
index f8816f6d9a..a0e4286e8d 100644
--- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Search Providers page in the IEAK 11 Customization Wizard to add additional providers and set the default.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
index 61e6caf344..809652df55 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: plan
 description: Learn about the security features available in Internet Explorer 11 and IEAK 11.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
index d88993dbe2..9f5cadf768 100644
--- a/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Security and Privacy Settings page in the IEAK 11 Customization Wizard to manage your security zones, privacy settings, and content ratings.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
index 2c1379c97b..2267ccc2c3 100644
--- a/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/security-imports-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[Security Imports\] .INS file setting to decide whether to import security info to your custom package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
index b6c2290c54..4d655da341 100644
--- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: support
 description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
index d508dffd3a..33120276a5 100644
--- a/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/url-ins-file-setting.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Use the \[URL\] .INS file setting to decide whether to use an auto-configured proxy server.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index 2417baf652..0fd4a2c8bd 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the User Experience page in the IEAK 11 Customization Wizard to decide user interaction with the Setup process.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
index dc16dd86ec..6b88d3fa5e 100644
--- a/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
+++ b/browsers/internet-explorer/ie11-ieak/using-internet-settings-ins-files.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: Info about how to use Internet Settings (.ins) files and the IEAK 11 to configure your custom browser package.
 author: eross-msft
diff --git a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
index 2fad3b0d54..96fbaaaa45 100644
--- a/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/wizard-complete-ieak11-wizard.md
@@ -1,5 +1,5 @@
 ---
-localizationpriority: low
+ms.localizationpriority: low
 ms.mktglfcycl: deploy
 description: How to use the Wizard Complete - Next Steps page in the IEAK 11 Customization Wizard to build your custom Internet Explorer install package.
 author: eross-msft
diff --git a/browsers/internet-explorer/index.md b/browsers/internet-explorer/index.md
index 79a0d7af08..65aa2dda43 100644
--- a/browsers/internet-explorer/index.md
+++ b/browsers/internet-explorer/index.md
@@ -6,7 +6,7 @@ ms.prod: IE11
 title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
 assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
 ms.sitesec: library
-localizationpriority: low
+ms.localizationpriority: low
 ---
 
 
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 757d5d4376..00808fc443 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Change history for Microsoft HoloLens documentation
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index e9b51e6b8d..590709239d 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Enroll HoloLens in MDM
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index fa7479c5ef..d4ab0de317 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Install apps on HoloLens
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 42ce78887a..b2986ac0a3 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up HoloLens in kiosk mode
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 53f90a2f31..93334b734a 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Configure HoloLens using a provisioning package test
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index d364082e8d..e4d0abec41 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft HoloLens in the enterprise: requirements and FAQ
diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md
index d6ead976b2..485dc497ee 100644
--- a/devices/hololens/hololens-setup.md
+++ b/devices/hololens/hololens-setup.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up HoloLens
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index 82583e43cd..0b22298118 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Unlock Windows Holographic for Business features
@@ -116,7 +116,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 
 ### Apply the provisioning package to HoloLens
 
-1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of OOBE (the first page with the blue box).
+1. Connect the device via USB to a PC and start the device, but do not continue past the **fit** page of the initial setup experience (the first page with the blue box).
 
 2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously.
 
@@ -128,7 +128,7 @@ Provisioning packages are files created by the Windows Imaging and Configuration
 
 6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
 
-7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
+7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup.
 
 >[!NOTE]
 >If the device was purchased before August 2016, you will need to sign into the device with aa Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. 
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index a340332cc7..a400654bbd 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft HoloLens
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 75d75ecc96..82d3fea1ab 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -10,7 +10,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Accessibility (Surface Hub)
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 31c718d2cc..8fefe084ae 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Admin group management (Surface Hub)
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index cf0b708c03..85672ae9d4 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # PowerShell for Surface Hub
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 216212e22c..150021a410 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Applying ActiveSync policies to device accounts (Surface Hub)
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index f15a7db11b..851d7d7624 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -9,13 +9,22 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Change history for Surface Hub
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Windows updates](manage-windows-updates-for-surface-hub.md) | Changed deferral recommendations for Windows Updates |
+| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Added Whiteboard URLs to prerequisites |
+| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md#skype-for-business-online) | Updated the Skype for Business Online requirements |
+| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)  | Added that Surface Hub supports 802.1X using PEAP-MSCHAPv2 |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 24401a121f..0dbb2f0c28 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Change the Microsoft Surface Hub device account
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 3b707fc91d..b8b4074703 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Connect other devices and display with Surface Hub
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 2738f245e6..b6d74e9b2f 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create a device account using UI (Surface Hub)
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index 5488c98164..d23e2a2012 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create and test a device account (Surface Hub)
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index a82f56d4f1..2cd32d91db 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Device reset (Surface Hub)
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 8ac7840f05..60b1ab2d53 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: isaiahng
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Differences between Surface Hub and Windows 10 Enterprise
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index 0de8a05437..65f8ff0dfe 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft Exchange properties (Surface Hub)
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
index 38967ea5fb..cfd7ebf145 100644
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # End a Surface Hub meeting with End session
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 6d783ca362..5bbd47ff2e 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # First-run program (Surface Hub)
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index fd1ab47a02..91ea69d286 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Hybrid deployment (Surface Hub)
@@ -116,15 +116,24 @@ Next, you enable the device account with [Skype for Business Online](#skype-for-
 
 ### Skype for Business Online
 
-To enable Skype for Business online, your environment will need to meet the following prerequisites:
+To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
 
--   You need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
+| Skype room system scenario | If you have Office 365 Premium, Office 365 ProPlus, or Skype for Business Standalone Plan 2, you need: | If you have an Enterprise-based plan, you need: | If you have have Skype for Business Server 2015 (on-premises or hybrid), you need: |
+| --- | --- | --- | --- |
+| Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL |
+| Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL |
+| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing</br></br>**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL |
+| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL |
     
--   If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
--   Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
-    
--   Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+The following table lists the Office 365 plans and Skype for Business options.
+
+| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling |
+| --- | --- | --- | --- | --- |
+| O365 Business Essentials | Included |  |  |  |
+| O365 Business Premium | Included |  |  |  |
+| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
+| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) |
+| E5 | Included | Included | Included | Add-on  |
 
 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
 
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index f8199feb73..ab8cbc200f 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Microsoft Surface Hub admin guide
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 0fd4a2c619..cf999ceac8 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, store
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Install apps on your Microsoft Surface Hub
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 904c44e890..cb1c078d70 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Local management for Surface Hub settings
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 71bf9ab39f..0fa469597a 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, mobility
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage settings with an MDM provider (Surface Hub)
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index 5226843d3a..e3a2315659 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Surface Hub settings
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 14df9d6b63..ce6d076d19 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Microsoft Surface Hub
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 102a9c8006..84340e8542 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Windows updates (Surface Hub)
@@ -70,9 +70,9 @@ This table gives examples of deployment rings.
 
 | Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
 | --------- | --------- | --------- | --------- | --------- | --------- |
-| Evaluation (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Pilot (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  60 days after CBB is released. | 14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) |  120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
 | Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) |  180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
 
 
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 69095fd26e..b171da8675 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -1,6 +1,6 @@
 ---
 title: Miracast on existing wireless network or LAN
-description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
+description: Windows 10 enables you to send a Miracast stream over a local network.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Miracast on existing wireless network or LAN
@@ -32,13 +32,15 @@ Users attempt to connect to a Miracast receiver as they did previously. When the
 
 ## Enabling Miracast over Infrastructure 
 
-If you have a Surface Hub that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 
-- The Surface Hub needs to be running Windows 10, version 1703.
-- The Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
-- The DNS Hostname (device name) of the Surface Hub needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
+- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
+- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. 
 - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
-- PCs need to be running Windows 10, version 1703.
+
 
 It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
 
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index 942887f020..6b4edc0f44 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Troubleshoot Miracast on Surface Hub
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 2fac6d72e5..d90926b6e8 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Monitor your Microsoft Surface Hub
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 538c8ab8e7..12476b218a 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # On-premises deployment for Surface Hub in a single-forest environment
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index 71b1557cdc..049a77fe9d 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # On-premises deployment for Surface Hub in a multi-forest environment
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 971d34f236..146dddaaa1 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Online deployment with Office 365 (Surface Hub)
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index a21cbe75c4..bd6ee1ab26 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Password management (Surface Hub)
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 881d35d5e5..25d9589595 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, readiness
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Physically install Microsoft Surface Hub
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 938be33bfe..892a1a31a4 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -9,8 +9,8 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 07/27/2017
+ms.localizationpriority: medium
 ---
 
 # Prepare your environment for Microsoft Surface Hub
@@ -22,14 +22,14 @@ This section contains an overview of setup dependencies and the setup process. R
 ## Review infrastructure dependencies
 Review these dependencies to make sure Surface Hub features will work in your IT infrastructure.
 
-| Dependency                                            | Purpose                                               |
-|-------------------------------------------------------|-------------------------------------------------------|
+| Dependency        | Purpose           |
+|-------------|------------------|
 | Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
 | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
 | Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
 | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
 | Microsoft Operations Managmement Suite (OMS)   | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.</br></br>**802.1x authentication:** In Windows 10, version 1703, 802.1x authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1x authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1x authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1x authentication will start working automatically.</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
+| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.</br></br></br>**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.</br>**Note:** Surface Hub supports 802.1X using PEAP-MSCHAPv2. We currently do not support additional EAP methods such as 802.1X using PEAP-TLS or PEAP-EAP-TLS.</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
 
 Additionally, note that Surface Hub requires the following open ports:
 - HTTPS: 443
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index f5c44be7e4..4c8f42d3cf 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Create provisioning packages (Surface Hub)
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 2239f33b52..7511c69e12 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Remote Surface Hub management
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 98bcf798cc..7b7a9953bf 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, security
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Save your BitLocker key (Surface Hub)
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 350ad29527..435554c0f4 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Set up Microsoft Surface Hub
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index e689a49798..804434fe6a 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Setup worksheet (Surface Hub)
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index aab82e172f..569446d7bd 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Online or hybrid deployment using Skype Hybrid Voice environment  (Surface Hub)
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index b66f0125d8..0adb44a4fc 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -8,7 +8,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Useful downloads for Microsoft Surface Hub
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 8746e4fbf0..c351a69bb3 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # How Surface Hub addresses Wi-Fi Direct security issues
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index e2b323adce..b7fb78beec 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # What's new in Windows 10, version 1703 for Microsoft Surface Hub?
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index 88634df13a..46b82e72e3 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Troubleshoot Microsoft Surface Hub
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 8b90760907..056a710493 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -5,7 +5,7 @@ keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ms.prod: w10
 ms.mktglfcycl: support
 ms.sitesec: library
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 8a77082f26..5746904f3f 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Using a room control system (Surface Hub)
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index 7633008a2d..87f6088e2c 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -7,8 +7,8 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.date: 06/19/2017
-localizationpriority: medium
+ms.date: 07/13/2017
+ms.localizationpriority: medium
 ---
 
 # Set up and use Whiteboard to Whiteboard collaboration (Surface Hub)
@@ -28,6 +28,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m
 - Currently not utilizing Office 365 Germany or Office 365 	operated by 21Vianet
 - Surface Hub needs to be updated to Windows 10, version 1607 or newer
 - Port 443 needs to be open since Whiteboard makes standard https requests
+- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies
 
  
 >[!NOTE]
@@ -63,9 +64,9 @@ The OMA URI for each setting consists of `./User/Vendor/MSFT/EnterpriseModernApp
 
 | Setting | Details | OMA URI | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
 | --- | ---- | --- |---- | --- | --- |
-| Enable sign-in | Users can sign in and authenticate | EnableSignIn  | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn  | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration  | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Enable sign-in | Users can sign in and authenticate | EnableSignIn  | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune)  |  Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
+| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn  | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune)  |  Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
+| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration  | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune)  |  Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 Whiteboard also has other MDM settings that can be managed and set for defaults, exporting, and sharing. You can see these additional settings in [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md#whiteboard-collaboration-settings).
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index d7b8a3edbe..434cef3e19 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -10,7 +10,7 @@ ms.pagetype: surfacehub, networking
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/19/2017
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Wireless network management (Surface Hub)
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index 359032994a..1116a30c12 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,7 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
 description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
 ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
 keywords: security, features, configure, hardware, device, custom, script, update
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices, security
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index e986d59af3..1f50da1b95 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,7 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface)
 description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
 ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
 keywords: deploy, customize, automate, network, Pen, pair, boot
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 05a27098bb..96fa078066 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -3,7 +3,7 @@ title: Download the latest firmware and drivers for Surface devices (Surface)
 description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.
 ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A
 keywords: update Surface, newest, latest, download, firmware, driver, tablet, hardware, device
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 5013bcb538..09f3d1463d 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -3,7 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
 description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
 ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
 keywords: network, wireless, device, deploy, authentication, protocol
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 3a5739d950..4ebec35606 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -3,7 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface)
 description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
 ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
 keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: surface, devices
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 3ef2840357..65fba37343 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -2,7 +2,7 @@
 title: Surface (Surface)
 description: 
 ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index a07e2d8789..02c59dfdbb 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -2,7 +2,7 @@
 title: Manage Surface Dock firmware updates (Surface)
 description: Read about the different methods you can use to manage the process of Surface Dock firmware updates.
 ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F
-localizationpriority: high
+ms.localizationpriority: high
 keywords: firmware, update, install, drivers
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/manage-surface-pro-3-firmware-updates.md b/devices/surface/manage-surface-pro-3-firmware-updates.md
index eb0fea2fee..2a21c48dde 100644
--- a/devices/surface/manage-surface-pro-3-firmware-updates.md
+++ b/devices/surface/manage-surface-pro-3-firmware-updates.md
@@ -3,7 +3,7 @@ title: Manage Surface driver and firmware updates (Surface)
 description: This article describes the available options to manage firmware and driver updates for Surface devices.
 ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
 keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 388cb338d9..1e675594b7 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -2,7 +2,7 @@
 title: Manage Surface UEFI settings (Surface)
 description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. 
 keywords: firmware, security, features, configure, hardware
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index ef8103d135..b7993ada90 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -2,7 +2,7 @@
 title: Microsoft Surface Data Eraser (Surface)
 description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
 ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
-localizationpriority: high
+ms.localizationpriority: high
 keywords: tool, USB, data, erase
 ms.prod: w10
 ms.mktglfcycl: manage
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 207c434259..564aadec7a 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Deployment Accelerator (Surface)
 description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
 ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
 ms.date: 06/29/2017
-localizationpriority: high
+ms.localizationpriority: high
 keywords: deploy, install, tool
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 492a5e773c..b9c7a108ed 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -2,7 +2,7 @@
 title: Step by step Surface Deployment Accelerator (Surface)
 description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
 ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
-localizationpriority: high
+ms.localizationpriority: high
 keywords: deploy, configure
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/devices/surface/surface-diagnostic-toolkit.md b/devices/surface/surface-diagnostic-toolkit.md
index 8baced791b..2cb59e2ab9 100644
--- a/devices/surface/surface-diagnostic-toolkit.md
+++ b/devices/surface/surface-diagnostic-toolkit.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Diagnostic Toolkit (Surface)
 description: Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.
 ms.assetid: FC4C3E76-3613-4A84-A384-85FE8809BEF1
 keywords: hardware, device, tool, test, component
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index e555b82072..42ea115bd7 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Dock Updater (Surface)
 description: This article provides a detailed walkthrough of Microsoft Surface Dock Updater.
 ms.assetid: 1FEFF277-F7D1-4CB4-8898-FDFE8CBE1D5C
 keywords: install, update, firmware
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: surface, devices
diff --git a/education/get-started/TOC.md b/education/get-started/TOC.md
index b4b33d20fc..4d7123cb43 100644
--- a/education/get-started/TOC.md
+++ b/education/get-started/TOC.md
@@ -1,3 +1,11 @@
 # [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
-# [Change history for Microsoft Education get started](change-history-ms-edu-get-started.md)
+## [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+## [Use School Data Sync to import student data](use-school-data-sync.md)
+## [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+## [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+## [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+## [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+### [Set up Windows 10 devices using Windows OOBE](set-up-windows-education-devices.md)
+## [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
+# [Change history for Microsoft Education Get Started](change-history-ms-edu-get-started.md)
 
diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md
index 484ed4a299..2e9b13b1a7 100644
--- a/education/get-started/change-history-ms-edu-get-started.md
+++ b/education/get-started/change-history-ms-edu-get-started.md
@@ -1,5 +1,5 @@
 ---
-title: Change history for Microsoft Education Get started
+title: Change history for Microsoft Education Get Started
 description: New and changed topics in the Microsoft Education get started guide.
 keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history
 ms.prod: w10
@@ -8,13 +8,27 @@ ms.sitesec: library
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 07/03/2017
 ---
 
-# Change history for Microsoft Education Get started
+# Change history for Microsoft Education Get Started
 
 This topic lists the changes in the Microsoft Education IT admin get started.
 
+## July 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. |
+| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. |
+| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. |
+| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. |
+| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. |
+| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. |
+| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. |
+| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. |
+
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
new file mode 100644
index 0000000000..8b6ac1363e
--- /dev/null
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -0,0 +1,66 @@
+---
+title: Configure Microsoft Store for Education
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Configure Microsoft Store for Education
+
+You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/Jnbssq0gC_g" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/Jnbssq0gC_g?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+
+You can watch the descriptive audio version here: [Microsoft Education: Configure Microsoft Store for Education (DA)](https://www.youtube.com/watch?v=bStgEpHbEXw)
+
+## Associate your Microsoft Store account with Intune for Education
+
+1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
+2. Accept the Microsoft Store for Business and Education Services Agreement. 
+
+  This will take you to the Microsoft Store for Education portal.
+
+  **Figure 1** - Microsoft Store for Education portal
+
+  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
+
+3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
+4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
+
+  **Figure 2** - Select management tools from the list of Store settings options
+
+  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
+
+4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
+
+  **Figure 3** - Activate Intune for Education as the management tool
+
+  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
+
+Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
+
+<!--
+> [!div class="nextstepaction"]
+> [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
new file mode 100644
index 0000000000..39574448d6
--- /dev/null
+++ b/education/get-started/enable-microsoft-teams.md
@@ -0,0 +1,60 @@
+---
+title: Enable Microsoft Teams for your school
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Enable Microsoft Teams for your school
+
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+## Enable Microsoft Teams for your school
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 2** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 3** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
+<!--
+> [!div class="nextstepaction"]
+> [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Use School Data Sync to import student data](use-school-data-sync.md)
+[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
new file mode 100644
index 0000000000..df2fc44837
--- /dev/null
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -0,0 +1,178 @@
+---
+title: Finish Windows 10 device setup and other tasks
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Finish Windows 10 device setup and other tasks
+Once you've set up your Windows 10 education device, it's worth checking to verify the following:
+
+> [!div class="checklist"]
+> * Correct device setup
+> * Device is Azure AD joined
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/nhQ_4okWFmk" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/nhQ_4okWFmk?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Verify Windows 10 education devices are Azure AD joined and managed (DA)](https://www.youtube.com/watch?v=_hVIxaEsu2Y)
+
+## Verify correct device setup
+Verify that the device is set up correctly and boots without any issues.
+
+**Verify that the device was set up correctly**
+1. Confirm that the Start menu contains a simple configuration.
+2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
+
+  > [!NOTE]  
+  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
+
+  **Figure 1** - Sample list of apps for a user
+
+  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
+
+## Verify the device is Azure AD joined
+Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
+
+**Verify if the device is joined to Azure AD**
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Select **Groups** and select **All Devices**.
+3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
+
+  **Figure 2** - List of all managed devices
+
+  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
+
+4. On the Windows 10 education device, click **Start** and go to **Settings**. 
+5. Select **Accounts > Access work or school**.
+6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
+
+  **Figure 3** - Confirm that the Windows 10 device is joined to Azure AD
+
+  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
+
+**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. 
+
+You can follow the rest of the walkthrough to finish setup and complete other tasks, such as:
+
+> [!div class="checklist"]
+> * Update group settings in Intune for Education
+> * Configure Azure settings
+> * Complete Office 365 for Education setup
+> * Add more users
+> * Connect other devices, like BYOD devices, to your cloud infrastructure
+
+You can watch the following video to see how to update group settings in Intune for Education and configure Azure settings. Or, you can follow the step-by-step guide for these tasks and the other tasks listed above.
+
+<center><iframe src="https://www.youtube.com/embed/M6-k73dZOfw" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/M6-k73dZOfw?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Update settings, apps, and Azure AD settings for your education tenant (DA)](https://www.youtube.com/watch?v=-Rz3VcDXbzs)
+
+## Update group settings in Intune for Education
+If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
+
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
+3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
+
+  **Figure 4** - See the list of available settings in Intune for Education
+
+  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
+
+4. Keep the default settings or configure the settings according to your school's policies. 
+
+  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
+
+5. Click **Save** or **Discard changes**.
+
+## Configure Azure settings
+After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
+
+### Enable many devices to be added by a single person 
+When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
+
+Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+
+  **Figure 5** - Device settings in the new Azure portal
+
+  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
+
+4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
+5. Click **Save** to update device settings.
+
+### Enable roaming settings for users
+When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
+
+Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
+
+  **Figure 6** - Enable settings to roam with users
+
+  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
+
+5. Click **Save** to update device settings.
+
+## Complete Office 365 for Education setup
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
+
+## Add more users
+After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
+
+See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
+
+## Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [Set up Windows 10 education devices](set-up-windows-10-education-devices.md). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
+
+  > [!NOTE]  
+  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
+
+**To connect a personal device to your work or school**
+
+1. On your Windows device, go to **Settings > Accounts**.
+2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
+3. In the **Set up a work or school account** window, enter the user's account info.
+
+  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
+
+  **Figure 7** - Device is now managed by Intune for Education
+
+  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
+
+4. Enter the account password and then click **Sign in** to authenticate the user.
+
+   Depending on the organization's policy, the user may be asked to update the password.
+
+5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
+
+  **Figure 8** - Device is connected to organization's MDM
+
+  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
+
+6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [Verify the device is Azure AD joined](#verify-the-device-is-azure-ad-joined). 
+
+  It may take several minutes before the new device shows up so check again later.
+
+  
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/get-started/get-started-with-microsoft-education-fullpage.md b/education/get-started/get-started-with-microsoft-education-fullpage.md
new file mode 100644
index 0000000000..1b41b3b603
--- /dev/null
+++ b/education/get-started/get-started-with-microsoft-education-fullpage.md
@@ -0,0 +1,765 @@
+---
+title: Deploy and manage a full cloud IT solution with Microsoft Education
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: hero-article
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 06/26/2017
+---
+
+# Get started: Deploy and manage a full cloud IT solution with Microsoft Education
+
+![Learn how to deploy and manage a cloud solution with MSES!](images/mses_getstarted_banner.png)
+
+**Applies to:**
+
+-   Office 365 for Education, School Data Sync, Microsoft Intune for Education, Microsoft Store for Education, Windows 10 Creators Update, Set up School PCs
+
+Hello, IT administrators! In this walkthrough, we'll show you how you can quickly and easily use the new Microsoft Education system, consisting of new and existing cloud services and tools, to implement a full IT cloud solution for your school.
+
+## What is Microsoft Education?
+**Microsoft Education** consists of these new and existing services and tools from Microsoft:
+- **Microsoft Intune for Education** for simple set up, control, and management of the resources for your school including apps, devices, and settings
+- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
+  - **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
+  - **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
+- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff 
+- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
+- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
+- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
+- **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving 
+
+With Microsoft Education, schools can:
+- **Use affordable devices and simple setup** - Boost creativity and get started instantly with Windows 10 devices that support Windows Ink. Set up devices in minutes and stay in control with the new Intune for Education.
+- **Collaborate in a modern classroom** - Help students become career-ready with Office apps like Word, Excel, PowerPoint, and OneNote. Increase comprehension and outcomes with the most advanced teaching apps like integrated Learning Tools.
+- **Go beyond the browser with inspiring apps for classroom learning** - Inspire with Minecraft: Education Edition and innovative apps from the Microsoft Store for Education.
+
+Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
+
+## What we're doing
+In this walkthrough, we'll show you the basics on how to:
+> [!div class="checklist"]
+> * Acquire an Office 365 for Education tenant, if you don't already have one
+> * Import school, student, teacher, and class data using School Data Sync (SDS)
+> * Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
+> * Manage apps and settings deployment with Intune for Education
+> * Acquire additional apps in Microsoft Store for Education
+> * Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
+> * Log in and use the devices
+
+This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
+
+**Figure 1** - Microsoft Education IT administrator workflow
+
+![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
+
+## Prerequisites
+Complete these tasks before you start the walkthrough:
+- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed.
+
+  We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices. 
+
+  If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough. 
+
+- Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education.
+
+  If you don't have an education-verified domain, don't worry. We'll show you the steps on how to do this. 
+
+  > [!NOTE] 
+  > If you need to get education-verified, it may take up to two weeks for the verification process to be completed.
+
+## Setup options
+ To make sure you have a successful experience with deploying and managing a full cloud IT solution with Microsoft Education, select the scenario that best describes your school or how you'd like to get started.
+
+
+| [Get started with Microsoft Education in production environment](#noo365prodenv) | [Try out Microsoft Education in trial environment](#noo365trialenv) | [School uses Office 365, try out Intune for Education now](#schooluseso365tryi4e) | 
+| ----------------------------------------- | ------------------------------------------------ | ---------------------------------------------- |
+| * My school doesn't use Office 365 for Education | * My school doesn't use Office 365 for Education | * My school uses Office 365 for Education |
+| * My school is not an education-verified tenant | * My school is not an education-verified tenant | * My school is an education-verified tenant |
+| * I would like to get started with Microsoft Education in a production environment | * I would like to try out Microsoft Education in a trial environment | * I would like to apply the Intune for Education trial code to my school's production environment |
+| * Longest, need to start from scratch | * Simplest, but may take longer to start | * Fastest, Office 365 and SDS already set up |
+
+
+### <a name="noo365prodenv"></a>Option 1: Get started with Microsoft Education in a production environment
+Trying out Microsoft Education in a production environment means you'll be using real school data as you evaluate the features and tools. This requires more time to get fully set up and going. 
+
+To get started with Microsoft Education in a production environment:
+
+* Go to <a href="https://aka.ms/sdssignup" target="_blank">https://aka.ms/sdssignup</a> and fill out the form to sign up for School Data Sync and receive a free, one-on-one support from Microsoft.
+
+  A team from Microsoft will contact you to help get started with Microsoft Education. 
+
+If you want a quicker way to evaluate Microsoft Education, you can [use a trial environment instead](#noo365trialenv).
+
+### <a name="noo365trialenv"></a>Option 2: Try out Microsoft Education in a trial environment
+Once you get an Office 365 education-verified tenant, trying out Microsoft Education in a trial environment is an easy way to evaluate all the features and tools. Here, you'll use promo codes and sample files as you follow the walkthrough. 
+
+To get started with Microsoft Education in a trial environment, follow these steps.
+
+1. [Set up a new Office 365 for Education tenant](#1-set-up-a-new-office-365-for-education-tenant).
+
+  Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
+
+2. Once you have an education-verified tenant, click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to apply the Intune for Education trial promo code. 
+  1. In the Intune for Education Trial page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
+  2. Sign in with your global admin credentials. 
+
+3. Sign in to <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin portal</a> and:
+  1. Select **Admin > Users** and then search for your admin account. 
+  2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
+  3. Confirm that School Data Sync is turned on.
+
+3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [2. Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data).
+
+### <a name="schooluseso365tryi4e"></a>Option 3: Try out Intune for Education
+Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough.
+
+1. Click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to get started.
+2. In the **Intune for Education Trial** page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
+
+  **Figure 2** - Intune for Education trial sign in page
+
+  ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
+
+3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
+4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [3. Enable Microsoft Teams for your school](#3-enable-microsoft-teams-for-your-school) and then follow the rest of the instructions in this walkthrough. 
+
+## 1. Set up a new Office 365 for Education tenant
+Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
+
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
+
+1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
+2. Create an account and a user ID and password to use to sign into your account. 
+
+  **Figure 3** - Office 365 account creation
+
+  ![Create an Office 365 account](images/o365_createaccount.png)
+
+3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
+4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
+  1. Add your domain name and follow the steps to confirm ownership of the domain. 
+  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
+ 
+    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
+
+    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
+
+As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
+
+
+## 2. Use School Data Sync to import student data
+School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
+
+Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](#noo365prodenv) instead.
+
+**<a name="downloadcsvsamples"></a>Download sample school data**
+
+1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
+2. Click the green **Clone or download** button to download the SDS sample files.
+
+  **Figure 4** - Download the SDS sample files from GitHub
+
+  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
+
+3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
+4. Go to the folder where you saved the .zip and unzip the files.
+5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
+
+  **Figure 5** - Sample CSV files
+
+  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
+
+  > [!NOTE] 
+  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
+  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
+  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
+
+To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
+
+**<a name="usesdstoimportdata"></a>Use SDS to import student data**
+
+1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
+2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+
+  **Figure 6** - Settings for managing SDS
+
+  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
+
+3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+
+  New menu options will appear on the left of the SDS portal.
+
+  **Figure 7** - New menu options appear after SDS is turned on
+
+  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
+
+4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
+
+  This opens up the new profile setup wizard within the main page.
+
+  **Figure 8** - New SDS profile setup wizard
+
+  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
+
+5. For the new profile, in the **How do you want to connect to your school?** screen:
+  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
+  4. Click **Start**.
+
+6. In the **Sync options** screen:
+  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
+  2. In the **Import data** section:
+    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
+    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+
+      > [!NOTE]
+      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+
+    5. After all the files are successfully uploaded, click **OK**. 
+
+  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
+  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+  6. In the **Student enrollment option** section:
+    * If you want to sync your student roster data immediately, leave the box unchecked.
+    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
+  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+  8. Click **Next**.
+
+    **Figure 9** - Sync options for the new profile
+
+    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
+
+7. In the **Teacher options** screen:
+  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+  4. Click **Next**.
+
+    **Figure 10** - Specify options for teacher mapping
+
+    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
+
+8. In the **Student options** screen:
+  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+  4. Click **Next**.
+
+    **Figure 11** - Specify options for student mapping
+
+    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
+
+9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
+10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
+
+  **Figure 12** - SDS profile page
+
+  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
+
+11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+  * Stage 1 - Validating data
+  * Stage 2 - Processing schools and sections
+  * Stage 3 - Processing students and teachers
+  * Stage 4 - Adding students and teachers into sections
+  * Stage 5 - Setting up security groups
+
+  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
+
+  Once you've completed all five sync stages, your profile status will update one final time. 
+    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
+    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
+
+  Here are some examples of what the sync status can look like:
+
+  **Figure 13** - New profile: Sync in progress
+
+  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
+
+  **Figure 14** - New profile: Sync complete - no errors
+
+  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
+
+  **Figure 15** - New profile: Sync complete - with errors
+
+  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
+
+  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
+
+  You can refresh the page to confirm that your profile synced successfully.
+
+That's it for importing sample school data using SDS.
+
+## 3. Enable Microsoft Teams for your school
+Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
+
+To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
+
+**Enable Microsoft Teams for your school**
+
+1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
+2. Click **Admin** to go to the Office 365 admin center.
+3. Go to **Settings > Services & add-ins**.
+4. On the **Services & add-ins** page, select **Microsoft Teams**.
+
+  **Figure 16** - Select Microsoft Teams from the list of services & add-ins
+
+  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+
+5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
+
+  **Figure 17** - Select the license that you want to configure
+
+  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+
+6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
+
+  **Figure 18** - Turn on Microsoft Teams for your organization
+
+  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+
+7. Click **Save**.
+
+You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
+
+## 4. Configure Microsoft Store for Education
+You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
+
+**Associate your Microsoft Store account with Intune for Education**
+
+1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
+2. Accept the Microsoft Store for Business and Education Services Agreement. 
+
+  This will take you to the Microsoft Store for Education portal.
+
+  **Figure 19** - Microsoft Store for Education portal
+
+  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
+
+3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
+4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
+
+  **Figure 20** - Select management tools from the list of Store settings options
+
+  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
+
+4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
+
+  **Figure 21** - Activate Intune for Education as the management tool
+
+  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
+
+Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
+
+## 5. Use Intune for Education to manage groups, apps, and settings
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
+
+### Example - Set up Intune for Education, buy apps from the Store, and install the apps
+In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
+- [Use express configuration to quickly set up Intune for Education](#setupintune)
+- [Use Intune for Education to buy apps from the Microsoft Store for Education](#addappsfrommsfe)
+- [Use Intune for Education to install the apps for all users in your tenant](#installappsallusers)
+
+Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
+- Excel 
+- Fresh Paint
+- Minecraft: Education Edition
+- OneNote
+- PowerPoint
+- Sway
+- Word
+
+  > [!NOTE]
+  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
+
+
+**<a name="setupintune"></a>Set up Intune for Education**
+
+Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
+
+1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
+
+  **Figure 22** - Intune for Education dashboard
+
+  ![Intune for Education dashboard](images/i4e_portal.png)
+
+2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
+3. In the **Welcome to Intune for Education** screen, click **Get started**.
+  
+  **Figure 23** - Click Get started to set up Intune for Education
+
+  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
+
+4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
+
+  **Figure 24** - SDS is configured
+
+  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
+
+5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
+
+  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
+
+6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
+
+  > [!TIP]
+  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
+  >
+  > **Figure 25** - Click on the buttons to go back to that step
+  >
+  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
+
+7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
+
+  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
+  
+    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
+
+    > [!TIP]
+    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
+
+  **Figure 26** - Choose the apps that you want to install for the group
+
+  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
+
+8. When you're done choosing apps, click **Next** at the bottom of the screen.
+
+  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
+
+8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
+
+  **Figure 27** - Expand the settings group to get more details
+
+  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
+
+9. For this walkthrough, set the following settings:
+  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
+  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
+
+  **Figure 28** - Set some additional settings
+
+  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
+
+10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
+
+  **Figure 29** - Review the group, apps, and settings you configured
+
+  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
+
+11. Click **Save** to end express configuration.
+12. You will see the **You're done!** screen which lets you choose one of two options. 
+
+  **Figure 30** - All done with Intune for Education express configuration
+
+  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
+
+13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
+
+
+**<a name="addappsfrommsfe"></a>Add apps bought from Microsoft Store for Education**
+
+- **Example 1 - Minecraft: Education Edition**
+
+  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
+
+- **Example 2 - Free educational/reference apps**
+
+  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
+
+    **Figure 31** - Click on **Apps** to see the list of apps for your tenant
+
+    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
+
+  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
+
+    **Figure 32** - Select the option to add a new Store app
+
+    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
+
+  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
+  
+    For example, these apps are free:
+    - Duolingo - Learn Languages for Free
+    - Flashcards Pro 
+    - Khan Academy
+    - My Study Life
+
+  4. Find or select the app you want to install and click **Get the app**.
+  5. In the app's Store page, click the **...** button and select **Add to private store**.
+  6. Repeat steps 3-5 to install another app or move to the next step.
+  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
+
+    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
+
+    **Figure 33** - Apps inventory in Microsoft Store for Education
+
+    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
+
+    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
+
+    > [!NOTE]  
+    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
+
+**<a name="installappsallusers"></a>Install apps for all users**
+
+Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
+
+1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
+
+  **Figure 34** - Groups page in Intune for Education
+
+  ![Groups page in Intune for Education](images/i4e_groupspage.png)
+
+2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
+
+  **Figure 35** - List of all users in the tenant
+
+  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
+
+3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
+
+  **Figure 36** - Edit apps to assign them to users
+
+  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
+
+4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
+
+  **Figure 37** - Select the apps to deploy to the group
+
+  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
+
+5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
+6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
+
+  **Figure 38** - Updated list of assigned apps
+
+  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
+
+You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
+
+## 6. Set up Windows 10 devices
+
+### 6.1 Set up devices using Set up School PCs or Windows OOBE
+We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
+- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
+- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+
+**<a name="usesetupschoolpcs"></a>Option 1: Set up a device using the Set up School PCs app**
+
+IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
+
+![Set up School PCs app](images/suspc_getstarted_050817.png)
+
+Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
+- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
+- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
+- Removes OEM preinstalled software from each student PC
+- Auto-configures and saves a wireless network profile on each student PC
+- Gives a friendly and unique name to each student device for future management
+- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
+- Enables optional guest account for younger students, lost passwords, or visitors
+- Enables optional secure testing account
+- Locks down the student PC to prevent mischievous activity:
+    * Prevents students from removing the PC from the school's device management system
+    * Prevents students from removing the Set up School PCs settings
+- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
+- Customizes the Start layout with Office
+- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
+- Uninstalls apps not specific to education, such as Solitaire
+- Prevents students from adding personal Microsoft accounts to the PC
+
+**To set up a device using the Set up School PCs app**
+
+1. Follow the steps in <a href="https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app" target="_blank">Use the Set up School PCs app</a> to quickly set up one or more student PCs.
+2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup).
+
+
+**<a name="usewindowsoobandjoinaad"></a>Option 2: Set up a device using Windows OOBE**
+
+1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
+2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
+
+  **Figure 39** - Let's start with region
+
+  ![Let's start with region](images/win10_letsstartwithregion.png)
+
+3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
+
+  **Figure 40** - Select setup for an organization
+
+  ![Select setup for an organization](images/win10_setupforanorg.png)
+
+4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
+5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
+6. Click **Accept** to go through the rest of device setup.
+
+
+### 6.2 Verify correct device setup
+Verify that the device is set up correctly and boots without any issues.
+
+**Verify that the device was set up correctly**
+1. Confirm that the Start menu contains a simple configuration.
+2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
+
+  > [!NOTE]  
+  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
+
+  **Figure 41** - Sample list of apps for a user
+
+  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
+
+### 6.3 Verify the device is Azure AD joined
+Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
+
+**Verify if the device is joined to Azure AD**
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Select **Groups** and select **All Devices**.
+3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
+
+  **Figure 42** - List of all managed devices
+
+  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
+
+4. On the Windows 10 education device, click **Start** and go to **Settings**. 
+5. Select **Accounts > Access work or school**.
+6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
+
+  **Figure 43** - Confirm that the Windows 10 device is joined to Azure AD
+
+  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
+
+**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
+
+
+## 7. Finish setup and other tasks
+
+### 7.1 Update group settings in Intune for Education
+If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
+
+1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
+2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
+3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
+
+  **Figure 44** - See the list of available settings in Intune for Education
+
+  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
+
+4. Keep the default settings or configure the settings according to your school's policies. 
+
+  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
+
+5. Click **Save** or **Discard changes**.
+
+### 7.2 Configure Azure settings
+After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
+
+#### Enable many devices to be added by a single person 
+When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
+
+Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+
+  **Figure 45** - Device settings in the new Azure portal
+
+  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
+
+4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
+5. Click **Save** to update device settings.
+
+#### Enable roaming settings for users
+When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
+
+Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
+
+1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
+3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
+3. Select **Azure Active Directory > Users and groups > Device settings**.
+4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
+
+  **Figure 46** - Enable settings to roam with users
+
+  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
+
+5. Click **Save** to update device settings.
+
+### 7.3 Complete Office 365 for Education setup
+Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
+
+### 7.4 Add more users
+After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
+
+See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
+
+### 7.5 Connect other devices to your cloud infrastructure
+Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
+
+  > [!NOTE]  
+  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
+
+**To connect a personal device to your work or school**
+
+1. On your Windows device, go to **Settings > Accounts**.
+2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
+3. In the **Set up a work or school account** window, enter the user's account info.
+
+  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
+
+  **Figure 47** - Device is now managed by Intune for Education
+
+  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
+
+4. Enter the account password and then click **Sign in** to authenticate the user.
+
+   Depending on the organization's policy, the user may be asked to update the password.
+
+5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
+
+  **Figure 48** - Device is connected to organization's MDM
+
+  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
+
+6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined). 
+
+  It may take several minutes before the new device shows up so check again later.
+
+
+## Get more info
+
+### Microsoft Education documentation and resources hub
+See the <a href="https://docs.microsoft.com/education" target="_blank">Microsoft Education documentation and resources</a> hub for links to more content for IT admins, teachers, students, and education app developers.
+
+### Info related to this walkthrough
+
+**For IT admins**
+
+To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
+- <a href="https://docs.microsoft.com/education/windows/education-scenarios-store-for-business" target="_blank">Working with Microsoft Store for Education</a>
+- *Resources for anyone who uses Office 365* and *Resources for admins* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- School Data Sync deployment options
+  - Deployment using CSV files: <a href="https://aka.ms/sdscsv" target="_blank">How to deploy School Data Sync by using CSV files</a> and <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>
+  - Deployment using PowerSchool Sync: <a href="https://aka.ms/sdspowerschool" target="_blank">How to deploy School Data Sync by using PowerSchool Sync</a> and <a href="https://aka.ms/sdspowerschoolattributes" target="_blank">School Data Sync required attributes for PowerSchool Sync</a>
+  - Deployment using Clever Sync: <a href="https://aka.ms/sdsclever" target="_blank">How to deploy School Data Sync by using Clever Sync</a> and <a href="https://aka.ms/sdscleverattributes" target="_blank">School Data Sync required attributes for Clever sync</a>
+  - Deployment using OneRoster CSV files: <a href="https://aka.ms/sdsoneroster" target="_blank">How to deploy School Data Sync by using OneRoster CSV files</a>
+
+**For teachers**
+
+Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
+- *Resources for anyone who uses Office 365* in <a href="https://support.office.com/en-US/article/Get-started-with-Office-365-Education-AB02ABE5-A1EE-458C-B749-5B44416CCF14" target="_blank">Get started with Office 365 for Education</a>
+- <a href="https://education.microsoft.com/windows-10-online-resources-for-teachers" target="_blank">Windows 10 online resources for teachers</a>
+
+
+
+
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 78b9e46ccf..9d9e9b9a5a 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -6,11 +6,11 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.topic: hero-article
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 07/10/2017
 ---
 
 # Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@@ -44,13 +44,14 @@ Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Mi
 
 ## What we're doing
 In this walkthrough, we'll show you the basics on how to:
-- Acquire an Office 365 for Education tenant, if you don't already have one
-- Import school, student, teacher, and class data using School Data Sync (SDS)
-- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
-- Manage apps and settings deployment with Intune for Education
-- Acquire additional apps in Microsoft Store for Education
-- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
-- Log in and use the devices
+> [!div class="checklist"]
+> * Acquire an Office 365 for Education tenant, if you don't already have one
+> * Import school, student, teacher, and class data using School Data Sync (SDS)
+> * Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
+> * Manage apps and settings deployment with Intune for Education
+> * Acquire additional apps in Microsoft Store for Education
+> * Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
+> * Log in and use the devices
 
 This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
 
@@ -101,7 +102,7 @@ Once you get an Office 365 education-verified tenant, trying out Microsoft Educa
 
 To get started with Microsoft Education in a trial environment, follow these steps.
 
-1. [Set up a new Office 365 for Education tenant](#1-set-up-a-new-office-365-for-education-tenant).
+1. [Set up a new Office 365 for Education tenant](set-up-office365-edu-tenant.md).
 
   Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
 
@@ -114,7 +115,7 @@ To get started with Microsoft Education in a trial environment, follow these ste
   2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
   3. Confirm that School Data Sync is turned on.
 
-3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [2. Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data).
+3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [Use School Data Sync to import student data](use-school-data-sync.md).
 
 ### <a name="schooluseso365tryi4e"></a>Option 3: Try out Intune for Education
 Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough.
@@ -127,613 +128,20 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
   ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
 
 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
-4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [3. Enable Microsoft Teams for your school](#3-enable-microsoft-teams-for-your-school) and then follow the rest of the instructions in this walkthrough. 
+4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [Enable Microsoft Teams for your school](enable-microsoft-teams.md) and then follow the rest of the instructions in this walkthrough. 
 
-## 1. Set up a new Office 365 for Education tenant
-Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
+## End-to-end process
+The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on scenario, you may not need to implement all these steps. 
 
-Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
-
-1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
-2. Create an account and a user ID and password to use to sign into your account. 
-
-  **Figure 3** - Office 365 account creation
-
-  ![Create an Office 365 account](images/o365_createaccount.png)
-
-3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
-4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
-  1. Add your domain name and follow the steps to confirm ownership of the domain. 
-  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
- 
-    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
-
-    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
-
-As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
-
-
-## 2. Use School Data Sync to import student data
-School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
-
-Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](#noo365prodenv) instead.
-
-**<a name="downloadcsvsamples"></a>Download sample school data**
-
-1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
-2. Click the green **Clone or download** button to download the SDS sample files.
-
-  **Figure 4** - Download the SDS sample files from GitHub
-
-  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
-
-3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
-4. Go to the folder where you saved the .zip and unzip the files.
-5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
-
-  **Figure 5** - Sample CSV files
-
-  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
-
-  > [!NOTE] 
-  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
-  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
-  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
-
-To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
-
-**<a name="usesdstoimportdata"></a>Use SDS to import student data**
-
-1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
-2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
-
-  **Figure 6** - Settings for managing SDS
-
-  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
-
-3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
-
-  New menu options will appear on the left of the SDS portal.
-
-  **Figure 7** - New menu options appear after SDS is turned on
-
-  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
-
-4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
-
-  This opens up the new profile setup wizard within the main page.
-
-  **Figure 8** - New SDS profile setup wizard
-
-  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
-
-5. For the new profile, in the **How do you want to connect to your school?** screen:
-  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
-  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
-  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
-  4. Click **Start**.
-
-6. In the **Sync options** screen:
-  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
-  2. In the **Import data** section:
-    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
-    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
-    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
-    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
-
-      > [!NOTE]
-      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
-
-    5. After all the files are successfully uploaded, click **OK**. 
-
-  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
-  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
-  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
-  6. In the **Student enrollment option** section:
-    * If you want to sync your student roster data immediately, leave the box unchecked.
-    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
-  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
-  8. Click **Next**.
-
-    **Figure 9** - Sync options for the new profile
-
-    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
-
-7. In the **Teacher options** screen:
-  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
-  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
-  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
-  4. Click **Next**.
-
-    **Figure 10** - Specify options for teacher mapping
-
-    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
-
-8. In the **Student options** screen:
-  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
-  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
-  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
-  4. Click **Next**.
-
-    **Figure 11** - Specify options for student mapping
-
-    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
-
-9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
-10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
-
-  **Figure 12** - SDS profile page
-
-  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
-
-11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
-  * Stage 1 - Validating data
-  * Stage 2 - Processing schools and sections
-  * Stage 3 - Processing students and teachers
-  * Stage 4 - Adding students and teachers into sections
-  * Stage 5 - Setting up security groups
-
-  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
-
-  Once you've completed all five sync stages, your profile status will update one final time. 
-    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
-    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
-
-  Here are some examples of what the sync status can look like:
-
-  **Figure 13** - New profile: Sync in progress
-
-  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
-
-  **Figure 14** - New profile: Sync complete - no errors
-
-  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
-
-  **Figure 15** - New profile: Sync complete - with errors
-
-  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
-
-  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
-
-  You can refresh the page to confirm that your profile synced successfully.
-
-That's it for importing sample school data using SDS.
-
-## 3. Enable Microsoft Teams for your school
-Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education. 
-
-To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school. 
-
-**Enable Microsoft Teams for your school**
-
-1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
-2. Click **Admin** to go to the Office 365 admin center.
-3. Go to **Settings > Services & add-ins**.
-4. On the **Services & add-ins** page, select **Microsoft Teams**.
-
-  **Figure 16** - Select Microsoft Teams from the list of services & add-ins
-
-  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
-
-5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
-
-  **Figure 17** - Select the license that you want to configure
-
-  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
-
-6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
-
-  **Figure 18** - Turn on Microsoft Teams for your organization
-
-  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
-
-7. Click **Save**.
-
-You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
-
-## 4. Configure Microsoft Store for Education
-You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
-
-**Associate your Microsoft Store account with Intune for Education**
-
-1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
-2. Accept the Microsoft Store for Business and Education Services Agreement. 
-
-  This will take you to the Microsoft Store for Education portal.
-
-  **Figure 19** - Microsoft Store for Education portal
-
-  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
-
-3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
-4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
-
-  **Figure 20** - Select management tools from the list of Store settings options
-
-  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
-
-4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
-
-  **Figure 21** - Activate Intune for Education as the management tool
-
-  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
-
-Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
-
-## 5. Use Intune for Education to manage groups, apps, and settings
-Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
-
-### Example - Set up Intune for Education, buy apps from the Store, and install the apps
-In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
-- [Use express configuration to quickly set up Intune for Education](#setupintune)
-- [Use Intune for Education to buy apps from the Microsoft Store for Education](#addappsfrommsfe)
-- [Use Intune for Education to install the apps for all users in your tenant](#installappsallusers)
-
-Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
-- Excel 
-- Fresh Paint
-- Minecraft: Education Edition
-- OneNote
-- PowerPoint
-- Sway
-- Word
-
-  > [!NOTE]
-  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
-
-
-**<a name="setupintune"></a>Set up Intune for Education**
-
-Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
-
-1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
-
-  **Figure 22** - Intune for Education dashboard
-
-  ![Intune for Education dashboard](images/i4e_portal.png)
-
-2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
-3. In the **Welcome to Intune for Education** screen, click **Get started**.
-  
-  **Figure 23** - Click Get started to set up Intune for Education
-
-  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
-
-4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
-
-  **Figure 24** - SDS is configured
-
-  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
-
-5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
-
-  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
-
-6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
-
-  > [!TIP]
-  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
-  >
-  > **Figure 25** - Click on the buttons to go back to that step
-  >
-  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
-
-7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
-
-  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
-  
-    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
-
-    > [!TIP]
-    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
-
-  **Figure 26** - Choose the apps that you want to install for the group
-
-  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
-
-8. When you're done choosing apps, click **Next** at the bottom of the screen.
-
-  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
-
-8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
-
-  **Figure 27** - Expand the settings group to get more details
-
-  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
-
-9. For this walkthrough, set the following settings:
-  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
-  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
-
-  **Figure 28** - Set some additional settings
-
-  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
-
-10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
-
-  **Figure 29** - Review the group, apps, and settings you configured
-
-  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
-
-11. Click **Save** to end express configuration.
-12. You will see the **You're done!** screen which lets you choose one of two options. 
-
-  **Figure 30** - All done with Intune for Education express configuration
-
-  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
-
-13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
-
-
-**<a name="addappsfrommsfe"></a>Add apps bought from Microsoft Store for Education**
-
-- **Example 1 - Minecraft: Education Edition**
-
-  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
-
-- **Example 2 - Free educational/reference apps**
-
-  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
-
-    **Figure 31** - Click on **Apps** to see the list of apps for your tenant
-
-    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
-
-  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
-
-    **Figure 32** - Select the option to add a new Store app
-
-    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
-
-  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
-  
-    For example, these apps are free:
-    - Duolingo - Learn Languages for Free
-    - Flashcards Pro 
-    - Khan Academy
-    - My Study Life
-
-  4. Find or select the app you want to install and click **Get the app**.
-  5. In the app's Store page, click the **...** button and select **Add to private store**.
-  6. Repeat steps 3-5 to install another app or move to the next step.
-  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
-
-    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
-
-    **Figure 33** - Apps inventory in Microsoft Store for Education
-
-    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
-
-    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
-
-    > [!NOTE]  
-    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
-
-**<a name="installappsallusers"></a>Install apps for all users**
-
-Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
-
-1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
-
-  **Figure 34** - Groups page in Intune for Education
-
-  ![Groups page in Intune for Education](images/i4e_groupspage.png)
-
-2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
-
-  **Figure 35** - List of all users in the tenant
-
-  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
-
-3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
-
-  **Figure 36** - Edit apps to assign them to users
-
-  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
-
-4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
-
-  **Figure 37** - Select the apps to deploy to the group
-
-  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
-
-5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
-6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
-
-  **Figure 38** - Updated list of assigned apps
-
-  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
-
-You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
-
-## 6. Set up Windows 10 devices
-
-### 6.1 Set up devices using Set up School PCs or Windows OOBE
-We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
-- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
-- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
-
-**<a name="usesetupschoolpcs"></a>Option 1: Set up a device using the Set up School PCs app**
-
-IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
-![Set up School PCs app](images/suspc_getstarted_050817.png)
-
-Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
-- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
-- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
-- Removes OEM preinstalled software from each student PC
-- Auto-configures and saves a wireless network profile on each student PC
-- Gives a friendly and unique name to each student device for future management
-- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
-- Enables optional guest account for younger students, lost passwords, or visitors
-- Enables optional secure testing account
-- Locks down the student PC to prevent mischievous activity:
-    * Prevents students from removing the PC from the school's device management system
-    * Prevents students from removing the Set up School PCs settings
-- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
-- Customizes the Start layout with Office
-- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
-- Uninstalls apps not specific to education, such as Solitaire
-- Prevents students from adding personal Microsoft accounts to the PC
-
-**To set up a device using the Set up School PCs app**
-
-1. Follow the steps in <a href="https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app" target="_blank">Use the Set up School PCs app</a> to quickly set up one or more student PCs.
-2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup).
-
-
-**<a name="usewindowsoobandjoinaad"></a>Option 2: Set up a device using Windows OOBE**
-
-1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
-2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
-
-  **Figure 39** - Let's start with region
-
-  ![Let's start with region](images/win10_letsstartwithregion.png)
-
-3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
-
-  **Figure 40** - Select setup for an organization
-
-  ![Select setup for an organization](images/win10_setupforanorg.png)
-
-4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
-5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
-6. Click **Accept** to go through the rest of device setup.
-
-
-### 6.2 Verify correct device setup
-Verify that the device is set up correctly and boots without any issues.
-
-**Verify that the device was set up correctly**
-1. Confirm that the Start menu contains a simple configuration.
-2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
-
-  > [!NOTE]  
-  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
-
-  **Figure 41** - Sample list of apps for a user
-
-  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
-
-### 6.3 Verify the device is Azure AD joined
-Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
-
-**Verify if the device is joined to Azure AD**
-1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
-2. Select **Groups** and select **All Devices**.
-3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
-
-  **Figure 42** - List of all managed devices
-
-  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
-
-4. On the Windows 10 education device, click **Start** and go to **Settings**. 
-5. Select **Accounts > Access work or school**.
-6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
-
-  **Figure 43** - Confirm that the Windows 10 device is joined to Azure AD
-
-  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
-
-**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
-
-
-## 7. Finish setup and other tasks
-
-### 7.1 Update group settings in Intune for Education
-If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
-
-1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
-2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
-3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
-
-  **Figure 44** - See the list of available settings in Intune for Education
-
-  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
-
-4. Keep the default settings or configure the settings according to your school's policies. 
-
-  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
-
-5. Click **Save** or **Discard changes**.
-
-### 7.2 Configure Azure settings
-After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
-
-#### Enable many devices to be added by a single person 
-When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure. 
-
-Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
-
-1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
-2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
-3. Select **Azure Active Directory > Users and groups > Device settings**.
-
-  **Figure 45** - Device settings in the new Azure portal
-
-  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
-
-4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
-5. Click **Save** to update device settings.
-
-#### Enable roaming settings for users
-When students move from using one device to another, they may need to have their settings roam with them and be made available on other devices. 
-
-Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
-
-1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
-3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
-3. Select **Azure Active Directory > Users and groups > Device settings**.
-4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
-
-  **Figure 46** - Enable settings to roam with users
-
-  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
-
-5. Click **Save** to update device settings.
-
-### 7.3 Complete Office 365 for Education setup
-Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
-
-### 7.4 Add more users
-After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
-
-See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
-
-### 7.5 Connect other devices to your cloud infrastructure
-Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
-
-  > [!NOTE]  
-  > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
-
-**To connect a personal device to your work or school**
-
-1. On your Windows device, go to **Settings > Accounts**.
-2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
-3. In the **Set up a work or school account** window, enter the user's account info.
-
-  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
-
-  **Figure 47** - Device is now managed by Intune for Education
-
-  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
-
-4. Enter the account password and then click **Sign in** to authenticate the user.
-
-   Depending on the organization's policy, the user may be asked to update the password.
-
-5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
-
-  **Figure 48** - Device is connected to organization's MDM
-
-  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
-
-6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined). 
-
-  It may take several minutes before the new device shows up so check again later.
+Click the link to watch the video or follow the step-by-step guidance for each.
 
+1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+2. [Use School Data Sync to import student data](use-school-data-sync.md)
+3. [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+4. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+5. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+6. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+7. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
 
 ## Get more info
 
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
new file mode 100644
index 0000000000..57a0a0a4ff
--- /dev/null
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -0,0 +1,54 @@
+---
+title: Set up an Office 365 Education tenant
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up an Office 365 Education tenant
+
+Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
+
+Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). </br>
+
+<center><iframe src="https://www.youtube.com/embed/X7bscA-knaY" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/X7bscA-knaY?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Set up an Office 365 Education tenant (DA)](https://www.youtube.com/watch?v=d5tQ8KoB3ic)
+
+## To set up a new Office 365 Education tenant
+
+1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
+2. Create an account and a user ID and password to use to sign into your account. 
+
+  **Figure 1** - Office 365 account creation
+
+  ![Create an Office 365 account](images/o365_createaccount.png)
+
+3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...** 
+4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
+  1. Add your domain name and follow the steps to confirm ownership of the domain. 
+  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
+ 
+    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
+
+    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
+
+As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See *Complete Office 365 for Education setup* in [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) for info.
+
+> [!div class="step-by-step"]
+[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+[Use School Data Sync to import student data >>](use-school-data-sync.md)
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
new file mode 100644
index 0000000000..d3f2f989b5
--- /dev/null
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -0,0 +1,37 @@
+---
+title: Set up Windows 10 education devices
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up Windows 10 education devices
+
+We recommend using the latest build of Windows 10, version 1703 on your education devices. 
+
+To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:
+- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
+- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
+
+<!--
+> [!div class="nextstepaction"]
+> [Finish setup and other tasks](finish-setup-and-other-tasks.md)
+-->
+
+
+> [!div class="step-by-step"]
+[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
new file mode 100644
index 0000000000..ad79d03cb5
--- /dev/null
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -0,0 +1,47 @@
+---
+title: Set up Windows 10 devices using Windows OOBE
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Set up Windows 10 devices using Windows OOBE
+
+If you are setting up a Windows 10 device invidividually, and network bandwidth is not an issue, you can go through the Windows 10 first-run setup experience, also known as OOBE (out-of-box-experience) to set up the device, and join it to your school's Office 365 and Azure Active Directory.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/nADWqBYvqXk" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+
+You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno)
+
+## To set up Windows 10 devices using OOBE
+
+1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
+2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
+
+  **Figure 1** - Let's start with region
+
+  ![Let's start with region](images/win10_letsstartwithregion.png)
+
+3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
+
+  **Figure 2** - Select setup for an organization
+
+  ![Select setup for an organization](images/win10_setupforanorg.png)
+
+4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
+5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
+6. Click **Accept** to go through the rest of device setup.
+
+
+## Related topic
+[Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
\ No newline at end of file
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
new file mode 100644
index 0000000000..b2a9e67e9d
--- /dev/null
+++ b/education/get-started/use-intune-for-education.md
@@ -0,0 +1,221 @@
+---
+title: Use Intune for Education to manage groups, apps, and settings
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Use Intune for Education to manage groups, apps, and settings
+
+Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>. 
+
+## Example - Set up Intune for Education, buy apps from the Store, and install the apps
+In this walkthrough, we'll go through a sample scenario and walk you through the steps to:
+- [Use express configuration to quickly set up Intune for Education](#set-up-intune-for-education)
+- [Use Intune for Education to buy apps from the Microsoft Store for Education](#add-apps-bought-from-microsoft-store-for-education)
+- [Use Intune for Education to install the apps for all users in your tenant](#install-apps-for-all-users)
+
+Note that for verified education tenants, Microsoft automatically provisions your app catalog with these apps so you will see them appear on your Intune for Education catalog even before you've bought any apps:
+- Excel 
+- Fresh Paint
+- Minecraft: Education Edition
+- OneNote
+- PowerPoint
+- Sway
+- Word
+
+  > [!NOTE]
+  > Apps that you own in the Microsoft Store for Education are automatically available in Intune for Education. Any changes you make to your purchases get reflected in Intune for Education.
+
+You can watch the video to see how this is done, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/c3BLoZZw3TQ" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/c3BLoZZw3TQ?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Use Intune for Education to manage groups, apps, and settings (DA)](https://youtu.be/Tejxfc4V7cQ)
+
+## Set up Intune for Education
+Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
+
+1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
+
+  **Figure 1** - Intune for Education dashboard
+
+  ![Intune for Education dashboard](images/i4e_portal.png)
+
+2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
+3. In the **Welcome to Intune for Education** screen, click **Get started**.
+  
+  **Figure 2** - Click Get started to set up Intune for Education
+
+  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
+
+4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
+
+  **Figure 3** - SDS is configured
+
+  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
+
+5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
+
+  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
+
+6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
+
+  > [!TIP]
+  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
+  >
+  > **Figure 4** - Click on the buttons to go back to that step
+  >
+  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
+
+7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
+
+  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
+  
+    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
+
+    > [!TIP]
+    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
+
+  **Figure 5** - Choose the apps that you want to install for the group
+
+  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
+
+8. When you're done choosing apps, click **Next** at the bottom of the screen.
+
+  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
+
+8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
+
+  **Figure 6** - Expand the settings group to get more details
+
+  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
+
+9. For this walkthrough, set the following settings:
+  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
+  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
+
+  **Figure 28** - Set some additional settings
+
+  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
+
+10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
+
+  **Figure 7** - Review the group, apps, and settings you configured
+
+  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
+
+11. Click **Save** to end express configuration.
+12. You will see the **You're done!** screen which lets you choose one of two options. 
+
+  **Figure 8** - All done with Intune for Education express configuration
+
+  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
+
+13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
+
+## Add apps bought from Microsoft Store for Education
+
+- **Example 1 - Minecraft: Education Edition**
+
+  If you would like to purchase Minecraft: Education Edition or want to learn how to get, distribute, and manage permissions for Minecraft: Education Edition, see <a href="https://docs.microsoft.com/education/windows/school-get-minecraft" target="_blank">For IT administrators - get Minecraft: Education Edition</a>.
+
+- **Example 2 - Free educational/reference apps**
+
+  1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
+
+    **Figure 9** - Click on **Apps** to see the list of apps for your tenant
+
+    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
+
+  2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
+
+    **Figure 10** - Select the option to add a new Store app
+
+    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
+
+  3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
+  
+    For example, these apps are free:
+    - Duolingo - Learn Languages for Free
+    - Flashcards Pro 
+    - Khan Academy
+    - My Study Life
+
+  4. Find or select the app you want to install and click **Get the app**.
+  5. In the app's Store page, click the **...** button and select **Add to private store**.
+  6. Repeat steps 3-5 to install another app or move to the next step.
+  7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
+
+    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
+
+    **Figure 11** - Apps inventory in Microsoft Store for Education
+
+    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
+
+    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in <a href="https://docs.microsoft.com/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
+
+    > [!NOTE]  
+    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
+
+## Install apps for all users
+
+Now that you've bought the apps, use Intune for Education to specify the group to install the apps for. Here, we'll show you how to install the apps you bought for all devices used by all users in your tenant. 
+
+1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
+
+  **Figure 12** - Groups page in Intune for Education
+
+  ![Groups page in Intune for Education](images/i4e_groupspage.png)
+
+2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
+
+  **Figure 13** - List of all users in the tenant
+
+  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
+
+3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
+
+  **Figure 14** - Edit apps to assign them to users
+
+  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
+
+4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
+
+  **Figure 15** - Select the apps to deploy to the group
+
+  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
+
+5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
+6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
+
+  **Figure 16** - Updated list of assigned apps
+
+  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
+
+You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
+
+<!--
+> [!div class="nextstepaction"]
+> [Set up Windows 10 devices](set-up-windows-10-education-devices.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+
+
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
new file mode 100644
index 0000000000..6c9b89cb9d
--- /dev/null
+++ b/education/get-started/use-school-data-sync.md
@@ -0,0 +1,183 @@
+---
+title: Use School Data Sync to import student data
+description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
+keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: get-started
+ms.localizationpriority: high
+ms.pagetype: edu
+author: CelesteDG
+ms.author: celested
+ms.date: 07/10/2017
+---
+
+# Use School Data Sync to import student data
+
+School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
+
+Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/en-us/education/get-started/get-started-with-microsoft-education#setup-options) instead.
+
+You can watch the video to see how this is done, or follow the step-by-step guide.</br>
+
+<center><iframe src="https://www.youtube.com/embed/ehSU8jr8T24" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/ehSU8jr8T24?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+
+You can watch the descriptive audio version here: [Microsoft Education: Use School Data Sync to import student data (DA)](https://www.youtube.com/watch?v=l4b086IMtvc)
+
+
+## Download sample school data
+
+1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
+2. Click the green **Clone or download** button to download the SDS sample files.
+
+  **Figure 1** - Download the SDS sample files from GitHub
+
+  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
+
+3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
+4. Go to the folder where you saved the .zip and unzip the files.
+5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
+
+  **Figure 2** - Sample CSV files
+
+  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
+
+  > [!NOTE] 
+  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
+  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
+  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
+
+To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
+
+## Use SDS to import student data
+
+1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
+2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
+
+  **Figure 3** - Settings for managing SDS
+
+  ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png)
+
+3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**.
+
+  New menu options will appear on the left of the SDS portal.
+
+  **Figure 4** - New menu options appear after SDS is turned on
+
+  ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png)
+
+4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data.
+
+  This opens up the new profile setup wizard within the main page.
+
+  **Figure 5** - New SDS profile setup wizard
+
+  ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png)
+
+5. For the new profile, in the **How do you want to connect to your school?** screen:
+  1. Enter a name for your profile, such as *Contoso_Elementary_Profile*.
+  2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**.
+  3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**.  
+  4. Click **Start**.
+
+6. In the **Sync options** screen:
+  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
+  2. In the **Import data** section:
+    1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
+    2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+    3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+    4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+
+      > [!NOTE]
+      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+
+    5. After all the files are successfully uploaded, click **OK**. 
+
+  3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
+  4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+  5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+  6. In the **Student enrollment option** section:
+    * If you want to sync your student roster data immediately, leave the box unchecked.
+    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
+  7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+  8. Click **Next**.
+
+    **Figure 6** - Sync options for the new profile
+
+    ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png)
+
+7. In the **Teacher options** screen:
+  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**.
+  4. Click **Next**.
+
+    **Figure 7** - Specify options for teacher mapping
+
+    ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png)
+
+8. In the **Student options** screen:
+  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
+  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+  3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**.
+  4. Click **Next**.
+
+    **Figure 8** - Specify options for student mapping
+
+    ![Specify options for student mapping](images/sds_profile_student_options_062317.png)
+
+9. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
+10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
+
+  **Figure 9** - SDS profile page
+
+  ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) 
+
+11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
+  * Stage 1 - Validating data
+  * Stage 2 - Processing schools and sections
+  * Stage 3 - Processing students and teachers
+  * Stage 4 - Adding students and teachers into sections
+  * Stage 5 - Setting up security groups
+
+  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
+
+  Once you've completed all five sync stages, your profile status will update one final time. 
+    * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
+    * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
+
+  Here are some examples of what the sync status can look like:
+
+  **Figure 10** - New profile: Sync in progress
+
+  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
+
+  **Figure 11** - New profile: Sync complete - no errors
+
+  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
+
+  **Figure 12** - New profile: Sync complete - with errors
+
+  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
+
+  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
+
+  You can refresh the page to confirm that your profile synced successfully.
+
+That's it for importing sample school data using SDS.
+
+<!--
+> [!div class="nextstepaction"]
+> [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
+-->
+
+> [!div class="step-by-step"]
+[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+[Enable Microsoft Teams for your school >>](enable-microsoft-teams.md)
+
+## Related topic
+[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
\ No newline at end of file
diff --git a/education/images/education-ms-teams.svg b/education/images/education-ms-teams.svg
new file mode 100644
index 0000000000..041429e604
--- /dev/null
+++ b/education/images/education-ms-teams.svg
@@ -0,0 +1,258 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #5c2d91;
+      }
+
+      .cls-2, .cls-20 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-2 {
+        stroke: #808285;
+      }
+
+      .cls-3 {
+        fill: #2a6dcf;
+      }
+
+      .cls-4 {
+        fill: #6d6e71;
+      }
+
+      .cls-5 {
+        fill: #414042;
+      }
+
+      .cls-6 {
+        fill: #fff;
+      }
+
+      .cls-7 {
+        fill: #808285;
+      }
+
+      .cls-8 {
+        fill: #bad80a;
+      }
+
+      .cls-9 {
+        fill: #556a8a;
+      }
+
+      .cls-10 {
+        fill: gray;
+      }
+
+      .cls-11 {
+        fill: #2e2e2e;
+      }
+
+      .cls-12 {
+        fill: #1a1a1a;
+      }
+
+      .cls-13 {
+        fill: #221f1f;
+      }
+
+      .cls-14 {
+        fill: #80bceb;
+      }
+
+      .cls-15 {
+        fill: #b62a2a;
+      }
+
+      .cls-16 {
+        fill: #f0d4d4;
+      }
+
+      .cls-17 {
+        fill: #d1d3d4;
+      }
+
+      .cls-18 {
+        fill: #e6e7e8;
+      }
+
+      .cls-19 {
+        fill: #939598;
+      }
+
+      .cls-20 {
+        stroke: #414042;
+      }
+
+      .cls-21 {
+        fill: #f1f2f2;
+      }
+
+      .cls-22 {
+        fill: #2b978a;
+      }
+
+      .cls-23 {
+        fill: #008272;
+      }
+
+      .cls-24 {
+        fill: #558ad8;
+      }
+
+      .cls-25 {
+        fill: #aad2f2;
+      }
+    </style>
+  </defs>
+  <title>education-pro-usb copy</title>
+  <g>
+    <ellipse class="cls-1" cx="66.48" cy="32.04" rx="11.52" ry="12.96"/>
+    <line class="cls-2" x1="81" y1="57" x2="165" y2="57"/>
+    <path class="cls-1" d="M89.7,65.67A3.44,3.44,0,0,1,86.24,69H46.76a3.44,3.44,0,0,1-3.47-3.33c-.38-7.33-1.22-16.17,3.87-21.1a12.82,12.82,0,0,1,6.11-3.2,16.51,16.51,0,0,0,12.89,6.32,13.08,13.08,0,0,0,1.52-.08,16.55,16.55,0,0,0,11.47-6.38C91.5,43.83,90.2,56.06,89.7,65.67Z"/>
+  </g>
+  <polyline class="cls-2" points="102 113 142 113 142 88"/>
+  <line class="cls-2" x1="267.21" y1="64" x2="351.21" y2="64"/>
+  <g>
+    <ellipse class="cls-3" cx="338.69" cy="38.34" rx="12.67" ry="14.26"/>
+    <path class="cls-3" d="M364.24,75.33A3.78,3.78,0,0,1,360.42,79H317a3.78,3.78,0,0,1-3.81-3.67c-.41-8.06-1.34-17.79,4.25-23.21a14.1,14.1,0,0,1,6.72-3.52,18.16,18.16,0,0,0,14.18,7,14.39,14.39,0,0,0,1.67-.09,18.2,18.2,0,0,0,12.61-7C366.21,51.31,364.78,64.77,364.24,75.33Z"/>
+  </g>
+  <g>
+    <path class="cls-4" d="M328.21,61.12V89.88a.63.63,0,0,1-.64.62H304.85a.63.63,0,0,1-.64-.62V61.12a.63.63,0,0,1,.64-.62h22.72A.63.63,0,0,1,328.21,61.12Z"/>
+    <g>
+      <rect class="cls-5" x="302.21" y="63.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="63.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="70.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="70.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="77.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="77.5" width="2" height="2"/>
+    </g>
+    <g>
+      <rect class="cls-5" x="302.21" y="84.5" width="2" height="2"/>
+      <rect class="cls-6" x="304.21" y="84.5" width="2" height="2"/>
+    </g>
+    <path class="cls-7" d="M328.21,61.12V76.5l-16-16h15.36A.63.63,0,0,1,328.21,61.12Z"/>
+    <rect class="cls-6" x="309.21" y="64.5" width="14" height="4"/>
+  </g>
+  <g>
+    <ellipse class="cls-8" cx="90.48" cy="89.04" rx="11.52" ry="12.96"/>
+    <path class="cls-8" d="M113.7,122.67a3.44,3.44,0,0,1-3.47,3.33H70.76a3.44,3.44,0,0,1-3.47-3.33c-.38-7.33-1.22-16.17,3.87-21.1a12.82,12.82,0,0,1,6.11-3.2,16.51,16.51,0,0,0,12.89,6.32,13.08,13.08,0,0,0,1.52-.08,16.55,16.55,0,0,0,11.47-6.38C115.5,100.83,114.2,113.06,113.7,122.67Z"/>
+  </g>
+  <g>
+    <rect class="cls-3" x="89.97" y="110.03" width="30" height="8" transform="translate(-49.89 107.62) rotate(-45)"/>
+    <polygon class="cls-9" points="90.12 123.22 88 131 95.78 128.88 90.12 123.22"/>
+    <path class="cls-9" d="M119.11,105.54l1.41-1.41a3,3,0,0,0,0-4.24l-1.41-1.41a3,3,0,0,0-4.24,0l-1.41,1.41Z"/>
+    <rect class="cls-6" x="113.31" y="101.19" width="1" height="8" transform="translate(-41.05 111.29) rotate(-45)"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-10" points="265 126 148 126 155.32 118 258.15 118 265 126"/>
+      <polygon class="cls-11" points="254 124 159 124 162.34 119 250.76 119 254 124"/>
+      <path class="cls-12" d="M260.37,129H153.3c-4.95,0-5-2.91-5-2.91H265S265.58,129,260.37,129Z"/>
+    </g>
+    <polygon class="cls-12" points="216 112 196 112 198 98 214 98 214.14 99 216 112"/>
+    <polygon class="cls-11" points="216 112 206 112 206 99 214.14 99 216 112"/>
+    <rect class="cls-13" x="130" y="16" width="153" height="84" rx="4" ry="4"/>
+    <rect class="cls-14" x="134" y="20" width="145" height="76"/>
+    <path class="cls-11" d="M235.79,116H177.21a2.12,2.12,0,0,1-2.21-2s3.74-3,3.92-3h54.16c2.25,0,4.92,3,4.92,3A2.12,2.12,0,0,1,235.79,116Z"/>
+  </g>
+  <g>
+    <polygon class="cls-5" points="244.11 36 176.62 36 151.67 50 268.17 50 244.11 36"/>
+    <rect class="cls-4" x="152" y="50" width="116" height="34"/>
+    <polygon class="cls-15" points="210.25 31 209.75 31 184 49.69 184 84 236 84 236 49.69 210.25 31"/>
+    <g>
+      <rect class="cls-16" x="227" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="194" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="189" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="227" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="72" width="4" height="4"/>
+      <rect class="cls-16" x="222" y="67" width="4" height="4"/>
+      <rect class="cls-16" x="210" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="210" y="54" width="4" height="4"/>
+      <rect class="cls-16" x="205" y="59" width="4" height="4"/>
+      <rect class="cls-16" x="205" y="54" width="4" height="4"/>
+    </g>
+    <rect class="cls-5" x="204" y="70" width="12" height="14"/>
+    <rect class="cls-17" x="205" y="71" width="10" height="13"/>
+    <g>
+      <rect class="cls-18" x="162" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="162" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="59" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="162" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="162" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="158" y="72" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="175" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="175" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="54" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="175" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="175" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="171" y="67" width="3" height="4"/>
+    </g>
+    <g>
+      <rect class="cls-18" x="246" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="246" y="54" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="59" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="54" width="3" height="4"/>
+      <g>
+        <rect class="cls-18" x="259" y="59" width="3" height="4"/>
+        <rect class="cls-18" x="259" y="54" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="59" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="54" width="3" height="4"/>
+      </g>
+    </g>
+    <g>
+      <rect class="cls-18" x="246" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="246" y="67" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="72" width="3" height="4"/>
+      <rect class="cls-18" x="242" y="67" width="3" height="4"/>
+      <g>
+        <rect class="cls-18" x="259" y="72" width="3" height="4"/>
+        <rect class="cls-18" x="259" y="67" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="72" width="3" height="4"/>
+        <rect class="cls-18" x="255" y="67" width="3" height="4"/>
+      </g>
+    </g>
+    <path class="cls-19" d="M214.24,37.76a6,6,0,1,1-8.49,0A6,6,0,0,1,214.24,37.76Z"/>
+    <polyline class="cls-20" points="214.5 43 210 43 210 38"/>
+    <polygon class="cls-21" points="215 71 215 77 209 71 215 71"/>
+    <path class="cls-22" d="M162.67,80.42a3.3,3.3,0,0,1-.8,2.2,5,5,0,0,1-2.14,1.4l-.27.1a9.78,9.78,0,0,1-1.29.3c-1.33.22-6.55,0-8.25,0-3.73,0-6.75-2.12-6.75-4.75a4.46,4.46,0,0,1,2.65-3.77,2.75,2.75,0,0,1-1.15-2.23,1.79,1.79,0,0,1,0-.24,2.67,2.67,0,0,1,.67-1.58,2.72,2.72,0,0,1,2.06-.93,2.9,2.9,0,0,1,.76.1,9,9,0,0,1,.23-1.87,7.58,7.58,0,0,1,.6-1.7,4,4,0,0,1,3.42-2.53c1.81,0,3.35,1.66,4,4,2.11.09,3.79,1.51,3.79,3.24a2.81,2.81,0,0,1-.65,1.77,3.42,3.42,0,0,1,2.15,3,2.79,2.79,0,0,1-.29,1.21A2.94,2.94,0,0,1,162.67,80.42Z"/>
+    <path class="cls-23" d="M159.73,84l-.27.1a9.78,9.78,0,0,1-1.29.3h-8.25c-3.73,0-6.75-2.12-6.75-4.75a4.46,4.46,0,0,1,2.65-3.77,2.75,2.75,0,0,1-1.15-2.23,1.79,1.79,0,0,1,0-.24,2.65,2.65,0,0,1,.49.09,9,9,0,0,1,.18-1.67,2.72,2.72,0,0,1,2.06-.93,2.9,2.9,0,0,1,.76.1,9,9,0,0,1,.23-1.87,7.58,7.58,0,0,1,.6-1.7,2.84,2.84,0,0,1,.42,0c1.81,0,3.75,1,3.75,4,2.79-1,4.5.76,4.5,2.5a3.38,3.38,0,0,1-1.15,2.52c1.65,0,2.65.72,2.65,2a3.14,3.14,0,0,1-.79,2.21,2.94,2.94,0,0,1,1.29,2.29C159.67,83.21,159.74,83.65,159.73,84Z"/>
+  </g>
+  <g>
+    <g>
+      <polygon class="cls-3" points="93 36 93 50 109.5 33.5 93 36"/>
+      <rect class="cls-3" x="87" y="15" width="34" height="27" rx="3" ry="3"/>
+    </g>
+    <path class="cls-24" d="M121,18V31L105,15h13A3,3,0,0,1,121,18Z"/>
+    <rect class="cls-25" x="96" y="24" width="16" height="1"/>
+    <rect class="cls-25" x="96" y="28" width="16" height="1"/>
+    <rect class="cls-25" x="96" y="32" width="9" height="1"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-aep-2.svg b/education/images/education-partner-aep-2.svg
new file mode 100644
index 0000000000..6bf0c2c3ac
--- /dev/null
+++ b/education/images/education-partner-aep-2.svg
@@ -0,0 +1,84 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55a5e4;
+        opacity: 0.2;
+      }
+
+      .cls-2 {
+        fill: #fff;
+        stroke: #55a5e4;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-3 {
+        fill: #7750a3;
+      }
+
+      .cls-4 {
+        fill: #4d4e4e;
+      }
+
+      .cls-5 {
+        fill: #0078d7;
+      }
+
+      .cls-6 {
+        fill: #2b8fde;
+      }
+
+      .cls-7 {
+        fill: #0050c5;
+      }
+
+      .cls-8 {
+        fill: #b4a0ff;
+        opacity: 0.5;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        fill: #ddec85;
+      }
+
+      .cls-11 {
+        fill: #80bceb;
+      }
+    </style>
+  </defs>
+  <title>education-partner-aep-2</title>
+  <g>
+    <path class="cls-1" d="M119.51,50.32a35.43,35.43,0,0,1,69.94-1.11,24.11,24.11,0,0,1,38.72,12.26,21.07,21.07,0,1,1,5,41.54H114.58c-12-2.44-21.08-13.6-21.08-26.35A26.34,26.34,0,0,1,119.51,50.32Z"/>
+    <g>
+      <path class="cls-2" d="M124.38,65.52a37.39,37.39,0,0,1,74-1.19,25.21,25.21,0,0,1,16.34-6,25.57,25.57,0,0,1,24.62,19.14,22,22,0,0,1,5.29-.67,22.61,22.61,0,0,1,0,45.21H119.17c-12.72-2.62-22.3-14.59-22.3-28.25A28.06,28.06,0,0,1,124.38,65.52Z"/>
+      <g>
+        <ellipse class="cls-3" cx="163" cy="69.36" rx="14.5" ry="16.5"/>
+        <path class="cls-3" d="M192.13,111.64a4.49,4.49,0,0,1-3.68,4.31,3.81,3.81,0,0,1-.59,0H139.14a4.46,4.46,0,0,1-4.28-4.36c-.46-9.16-1.5-20.22,4.78-26.38a15.69,15.69,0,0,1,7.53-4,20.35,20.35,0,0,0,14.42,7.84,14.71,14.71,0,0,0,1.49.07,16.36,16.36,0,0,0,1.87-.1,20.39,20.39,0,0,0,14.15-8C194.35,84.33,192.74,99.63,192.13,111.64Z"/>
+      </g>
+      <g>
+        <rect class="cls-4" x="142.5" y="49" width="3" height="18.75" rx="1.5" ry="1.5"/>
+        <path class="cls-5" d="M185.87,50l-8.37,3V63c0,4.17-6.83,8-14.62,8s-14.38-3.83-14.38-8V53l-8.63-3,23-8Z"/>
+        <path class="cls-6" d="M177.5,54v9c0,4.17-6.83,8-14.62,8s-14.38-3.83-14.38-8V54l14,7Z"/>
+        <polygon class="cls-7" points="163.5 63 177.5 58.05 177.5 53 163.5 58 148.5 53 148.5 58.05 163.5 63"/>
+        <path class="cls-4" d="M141.5,72V67.5c0-1.65.9-3,2-3h1c1.1,0,2,1.35,2,3V72Z"/>
+      </g>
+      <path class="cls-8" d="M192.13,111.64a4.49,4.49,0,0,1-3.68,4.31L161.59,89.09a14.71,14.71,0,0,0,1.49.07,16.36,16.36,0,0,0,1.87-.1,20.39,20.39,0,0,0,14.15-8C194.35,84.33,192.74,99.63,192.13,111.64Z"/>
+      <circle class="cls-9" cx="253.5" cy="78" r="53" transform="translate(19.09 202.1) rotate(-45)"/>
+      <path class="cls-10" d="M291,40.52a53,53,0,0,1,0,75l-75-75A53,53,0,0,1,291,40.52Z"/>
+      <polygon class="cls-5" points="118.5 81 121.16 87.85 128.5 88.27 122.81 92.92 124.68 100.02 118.5 96.05 112.32 100.02 114.19 92.92 108.5 88.27 115.84 87.85 118.5 81"/>
+      <g>
+        <polygon class="cls-5" points="258.49 70.32 256.48 78.17 247.28 114 241.48 104.19 237.54 106.53 231.68 109.99 242.88 66.31 258.49 70.32"/>
+        <polygon class="cls-6" points="256.48 78.17 247.28 114 241.48 104.19 237.54 106.53 245.54 75.35 256.48 78.17"/>
+        <polygon class="cls-5" points="276.04 106.88 268.44 104.11 265.33 102.98 261.44 113.68 242.92 73.93 242.38 72.8 256.98 66.01 276.04 106.88"/>
+        <polygon class="cls-6" points="268.44 104.11 265.33 102.98 261.44 113.68 242.92 73.93 252.32 69.55 268.44 104.11"/>
+        <polygon class="cls-7" points="252.05 47.01 258.09 43.14 261.38 49.51 268.55 49.18 268.22 56.35 274.6 59.64 270.72 65.69 274.6 71.73 268.22 75.02 268.55 82.19 261.38 81.86 258.09 88.23 252.05 84.36 246.01 88.23 242.71 81.86 235.54 82.19 235.88 75.02 229.5 71.73 233.37 65.69 229.5 59.64 235.88 56.35 235.54 49.18 242.71 49.51 246.01 43.14 252.05 47.01"/>
+        <path class="cls-11" d="M261,65.68a9,9,0,1,1-9-9A8.93,8.93,0,0,1,261,65.68Z"/>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/education/images/education-partner-directory-3.svg b/education/images/education-partner-directory-3.svg
new file mode 100644
index 0000000000..ba8f644949
--- /dev/null
+++ b/education/images/education-partner-directory-3.svg
@@ -0,0 +1,95 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #55a5e4;
+      }
+
+      .cls-11, .cls-2, .cls-3 {
+        fill: #fff;
+      }
+
+      .cls-2, .cls-5, .cls-9 {
+        stroke: #556a8a;
+        stroke-width: 2px;
+      }
+
+      .cls-2, .cls-5 {
+        stroke-linecap: round;
+        stroke-linejoin: round;
+      }
+
+      .cls-4 {
+        fill: #556a8a;
+      }
+
+      .cls-10, .cls-5, .cls-7, .cls-9 {
+        fill: none;
+      }
+
+      .cls-6 {
+        fill: #e5e5e5;
+      }
+
+      .cls-7 {
+        stroke: #a7a9ac;
+      }
+
+      .cls-7, .cls-9 {
+        stroke-miterlimit: 10;
+      }
+
+      .cls-8 {
+        fill: #d4e2f5;
+      }
+
+      .cls-11 {
+        opacity: 0.1;
+      }
+
+      .cls-12 {
+        fill: #e4edf1;
+        opacity: 0.34;
+      }
+    </style>
+  </defs>
+  <title>education-partner-directory-3</title>
+  <g>
+    <path class="cls-1" d="M117,66.32a35.43,35.43,0,0,1,69.94-1.11,24.11,24.11,0,0,1,38.72,12.26,21.07,21.07,0,1,1,5,41.54H112.08c-12-2.44-21.08-13.6-21.08-26.35A26.34,26.34,0,0,1,117,66.32Z"/>
+    <rect class="cls-2" x="185" y="29" width="124" height="97"/>
+    <path class="cls-3" d="M247,124a13.75,13.75,0,0,0-9-4H196V23h43c7,0,8,10,8,10s1-10,8-10h43v97H256a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-4" x="246" y="30" width="2" height="93.32"/>
+    <path class="cls-5" d="M247,124a13.75,13.75,0,0,0-9-4H196V23h43c7,0,8,10,8,10s1-10,8-10h43v97H256a13.75,13.75,0,0,0-9,4"/>
+    <rect class="cls-6" x="197" y="24" width="15" height="95"/>
+    <rect class="cls-6" x="282" y="24" width="15" height="95"/>
+    <g>
+      <line class="cls-7" x1="216" y1="42" x2="240" y2="42"/>
+      <line class="cls-7" x1="216" y1="53" x2="240" y2="53"/>
+      <line class="cls-7" x1="216" y1="64" x2="240" y2="64"/>
+      <line class="cls-7" x1="216" y1="75" x2="240" y2="75"/>
+      <line class="cls-7" x1="216" y1="86" x2="240" y2="86"/>
+      <line class="cls-7" x1="216" y1="97" x2="240" y2="97"/>
+    </g>
+    <g>
+      <circle class="cls-3" cx="192" cy="42" r="32"/>
+      <path class="cls-3" d="M222.5,41.75a2.09,2.09,0,0,1,0,.25A30.24,30.24,0,0,1,162,42a2.09,2.09,0,0,1,0-.25,30.25,30.25,0,0,1,60.5,0Z"/>
+      <path class="cls-8" d="M192.25,72.5A30.82,30.82,0,0,1,161.51,42v-.5H223V42A30.82,30.82,0,0,1,192.25,72.5Z"/>
+      <path class="cls-4" d="M192,12a30,30,0,1,1-30,30,30,30,0,0,1,30-30m0-2a32,32,0,1,0,32,32,32,32,0,0,0-32-32Z"/>
+      <path class="cls-4" d="M192,12c5.71,0,12.08,12.32,12.08,30S197.71,72,192,72s-12.08-12.32-12.08-30S186.29,12,192,12m0-2c-7.78,0-14.08,14.33-14.08,32s6.3,32,14.08,32,14.08-14.33,14.08-32S199.78,10,192,10Z"/>
+      <path class="cls-9" d="M217.88,25c-4.63,1.39-14.57,2.36-26.09,2.36s-21.67-1-26.23-2.4"/>
+      <path class="cls-9" d="M165.55,58.32c4.34-1.41,14.49-2.4,26.33-2.4,11.54,0,21.49.94,26,2.3"/>
+      <line class="cls-9" x1="160.94" y1="42" x2="223.33" y2="42"/>
+      <rect class="cls-10" x="160" y="10" width="64" height="64"/>
+    </g>
+    <g>
+      <line class="cls-7" x1="254" y1="42" x2="278" y2="42"/>
+      <line class="cls-7" x1="254" y1="53" x2="278" y2="53"/>
+      <line class="cls-7" x1="254" y1="64" x2="278" y2="64"/>
+      <line class="cls-7" x1="254" y1="75" x2="278" y2="75"/>
+      <line class="cls-7" x1="254" y1="86" x2="278" y2="86"/>
+      <line class="cls-7" x1="254" y1="97" x2="278" y2="97"/>
+    </g>
+    <path class="cls-11" d="M124.22,73a31.49,31.49,0,0,1,62.17-1,21.43,21.43,0,0,1,34.42,10.89,18.73,18.73,0,1,1,4.45,36.93H119.84c-10.69-2.17-18.74-12.09-18.74-23.43A23.42,23.42,0,0,1,124.22,73Z"/>
+    <path class="cls-12" d="M161.43,74.55a15.53,15.53,0,1,0-5.55,7.23v5.07h4.92v5.67h6.48V99H177V89.56Zm-18.61-7.11a4,4,0,1,1,4-4A4,4,0,0,1,142.82,67.44Z"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-mepn-1.svg b/education/images/education-partner-mepn-1.svg
new file mode 100644
index 0000000000..b2585e2969
--- /dev/null
+++ b/education/images/education-partner-mepn-1.svg
@@ -0,0 +1,103 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #0078d7;
+        isolation: isolate;
+      }
+
+      .cls-2 {
+        fill: #2dbceb;
+        opacity: 0.41;
+      }
+
+      .cls-3 {
+        fill: #556a8a;
+      }
+
+      .cls-4 {
+        fill: #bad80a;
+      }
+
+      .cls-14, .cls-5 {
+        fill: none;
+      }
+
+      .cls-5 {
+        stroke: #556a8a;
+      }
+
+      .cls-5, .cls-8 {
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-6, .cls-8 {
+        fill: #fff;
+      }
+
+      .cls-7 {
+        fill: #e5e5e5;
+      }
+
+      .cls-8 {
+        stroke: #55a5e4;
+      }
+
+      .cls-9 {
+        fill: #55a5e4;
+        opacity: 0.3;
+      }
+
+      .cls-10 {
+        fill: #2b6dcf;
+      }
+
+      .cls-11 {
+        fill: #558ad8;
+      }
+
+      .cls-12 {
+        fill: #939598;
+      }
+
+      .cls-13 {
+        fill: #4d4d4d;
+      }
+    </style>
+  </defs>
+  <title>education-partner-mepn-1</title>
+  <g>
+    <ellipse class="cls-1" cx="104.5" cy="29.46" rx="10" ry="12.46"/>
+    <path class="cls-1" d="M87.5,101.43V140H98.58c1.54-13.16,3.6-30.57,3.94-32.83.43-2.76,4.7-2.76,5.12,0,.35,2.26,2.74,19.67,4.45,32.83h10.4V99h6l-.33-12.33-.67-25.2,8.42,2.19a4.54,4.54,0,0,0,1.93.25,4.49,4.49,0,0,0,1.48-.38l19-9.45a4.54,4.54,0,1,0-3.75-8.27L138,52.64,122.08,48c-.93-.28-1.91-.57-2.94-.86l0,0c-2.06-.58-4.18-1.16-5.79-1.59l-2.7-.72-6,12.48h-.1l-6-12.48s-5.77,1.3-9.89,2.39L87,47.6A8.84,8.84,0,0,0,81.48,52,11.43,11.43,0,0,0,80.2,56.4c-.61,6.36-.6,20.59-1.12,26.31-.19,2-.2,8.56,2.07,11.48A88.76,88.76,0,0,0,87.5,101.43Z"/>
+    <path class="cls-2" d="M158.36,54.08l-19,9.45a4.49,4.49,0,0,1-1.48.38,4.54,4.54,0,0,1-1.93-.25l-8.42-2.19.67,25.2L128.5,99l-47-47A8.84,8.84,0,0,1,87,47.6l1.63-.44c4.12-1.09,9.89-2.39,9.89-2.39l6,12.48h.1l6-12.48,2.7.72c1.61.43,3.73,1,5.79,1.59l0,0c1,.29,2,.58,2.94.86L138,52.64l16.63-6.83a4.54,4.54,0,1,1,3.75,8.27Z"/>
+  </g>
+  <g>
+    <path class="cls-3" d="M136.66,40.43h3.41l-.09-18h-3.32c-2.2,0-4.65,4.35-4.62,9S134.46,40.45,136.66,40.43Z"/>
+    <path class="cls-4" d="M134.62,31.53c0-5,1.74-9,3.94-9a14,14,0,0,1,1.76,0c1.91.67,2.25,4.46,2.27,8.93s.22,8.36-1.72,9c-.17.05-2,0-2.22,0C136.45,40.5,134.65,36.49,134.62,31.53Z"/>
+    <path class="cls-5" d="M158.39,35.18h-2.7a7.65,7.65,0,1,0,0,15.3h2.7a7.65,7.65,0,1,0,0-15.3Z"/>
+    <path class="cls-6" d="M179.06,31.52v-.08c0-8.74,1-15.81,3-19-3.7,1.91-12.29,4.88-22.83,7.61-5,1.3-19.12,3.36-19.17,3.39-1.53,1.53-1.9,5.59-2,7.37,0,.27,0,.48,0,.63,0,1.13.24,6.24,2,8,0,0,14.21,2.09,19.17,3.39,10.54,2.73,19.13,5.7,22.83,7.61-1.6-2.54-2.56-7.62-2.87-14.07C179.1,34.85,179.06,33.22,179.06,31.52Z"/>
+    <path class="cls-7" d="M182,50.48c-3.7-1.91-12.29-4.88-22.83-7.61-5-1.3-19.12-3.36-19.17-3.39-1.76-1.76-2-8.36-1.65-7.8,0,0,12,1.55,18.65,2.8s22,6,22,6C179,46.1,180.44,47.94,182,50.48Z"/>
+    <path class="cls-5" d="M179.06,31.48v0c0-8,.83-14.61,2.5-18.08.15-.32-.38,0-.21-.3-.47.24.81-.56.19-.28a168.81,168.81,0,0,1-22.33,7.31c-5,1.3-19.12,3.36-19.17,3.39-1.76,1.76-2,6.87-2,8s.24,6.24,2,8c.05,0,14.21,2.09,19.17,3.39,10.54,2.73,17.5,5.11,21.2,7-.25-.39,1,.61.75.09-1.52-3.58-2.1-10.83-2.1-18.47Z"/>
+    <path class="cls-4" d="M190.57,31.5c0,8.33-2.32,15.48-4.24,18.7-.68,1.15-1.45,1.8-2.25,1.8a2.59,2.59,0,0,1-2-1.36c-1.58-2.27-2.81-7.18-3.29-13.28-.15-1.86-.23-3.82-.23-5.86s.08-4,.23-5.9c.49-6.08,1.71-11,3.29-13.23a2.58,2.58,0,0,1,2-1.37c.8,0,1.57.64,2.25,1.81C188.25,16,190.57,23.19,190.57,31.5Z"/>
+    <path class="cls-3" d="M186,31.48a6,6,0,0,1-6,6,6.09,6.09,0,0,1-1.22-.12c-.15-1.86-.23-3.82-.23-5.86s.08-4,.23-5.9a6.08,6.08,0,0,1,1.22-.12A6,6,0,0,1,186,31.48Z"/>
+    <path class="cls-5" d="M190.57,31.5c0,8.33-2.32,15.48-4.24,18.7-.68,1.15-1.45,1.8-2.25,1.8a2.57,2.57,0,0,1-2-1.36c-2.06-3-3.52-10.4-3.52-19.14s1.46-16.17,3.52-19.13a2.59,2.59,0,0,1,2-1.37c.8,0,1.57.65,2.25,1.81C188.25,16,190.57,23.19,190.57,31.5Z"/>
+  </g>
+  <line class="cls-5" x1="194" y1="31" x2="215" y2="31"/>
+  <line class="cls-5" x1="194" y1="27" x2="206.5" y2="14.5"/>
+  <line class="cls-5" x1="206" y1="48" x2="194" y2="36"/>
+  <path class="cls-8" d="M205,119.49a25.36,25.36,0,0,1-.21-49.42c1.86-11.89,12-21,23.91-21A24,24,0,0,1,249.1,60.55,24.2,24.2,0,0,1,259.85,58c10.36,0,33.33-3.63,30.34,8.46,1.56-.33-4,7.57-2.39,7.57a22.89,22.89,0,0,1,9.69,43.64l-.35.15a21.08,21.08,0,0,1-6.77,1.85l-.57.06c-3,.26-7,.31-13.37.31H209.83A20.74,20.74,0,0,1,205,119.49Z"/>
+  <path class="cls-9" d="M174.53,84.54a28.34,28.34,0,0,1,56-.89,19.29,19.29,0,0,1,31,9.8,16.86,16.86,0,1,1,4,33.23H170.59a21.56,21.56,0,0,1-16.87-21.08A21.08,21.08,0,0,1,174.53,84.54Z"/>
+  <g>
+    <path class="cls-10" d="M314.4,68.17A45.49,45.49,0,1,1,301.08,36,45.41,45.41,0,0,1,314.4,68.17Z"/>
+    <path class="cls-11" d="M314.4,68.17a45.41,45.41,0,0,1-12.61,31.47L237.44,35.28a45.51,45.51,0,0,1,77,32.89Z"/>
+    <polygon class="cls-12" points="242.76 42.03 260.86 76.21 295.04 94.31 273.17 62.48 242.76 42.03"/>
+    <rect class="cls-6" x="267.48" y="26.94" width="2.84" height="12.8"/>
+    <rect class="cls-6" x="267.48" y="96.61" width="2.84" height="12.8"/>
+    <rect class="cls-6" x="232.65" y="61.77" width="2.84" height="12.8" transform="translate(165.9 302.24) rotate(-90)"/>
+    <rect class="cls-6" x="302.32" y="61.77" width="2.84" height="12.8" transform="translate(235.57 371.91) rotate(-90)"/>
+    <polygon class="cls-13" points="242.76 42.03 295.04 94.31 276.95 60.13 242.76 42.03"/>
+    <circle class="cls-6" cx="268.9" cy="68.17" r="4.27" transform="translate(30.56 210.11) rotate(-45)"/>
+    <rect class="cls-14" x="223.4" y="22.67" width="91" height="91"/>
+  </g>
+</svg>
diff --git a/education/images/education-partner-yammer.svg b/education/images/education-partner-yammer.svg
new file mode 100644
index 0000000000..c92245652e
--- /dev/null
+++ b/education/images/education-partner-yammer.svg
@@ -0,0 +1,19 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #0072c6;
+      }
+    </style>
+  </defs>
+  <title>education-partner-yammer</title>
+  <g>
+    <path class="cls-1" d="M350,57.16a2.71,2.71,0,0,1-2.7,2.7c-1.49,0-16-1-16-2.54s14.53-2.87,16-2.87A2.7,2.7,0,0,1,350,57.16Zm-6.5-16.23a2.7,2.7,0,0,1-1,3.68c-1.3.73-14.48,6.95-15.21,5.64s11.26-9.63,12.56-10.36A2.7,2.7,0,0,1,343.5,40.94ZM339.82,74.8c-1.3-.73-13.29-9.06-12.56-10.36s13.91,4.91,15.21,5.64a2.7,2.7,0,0,1-2.65,4.71Z"/>
+    <path class="cls-1" d="M182.3,91.73a3.38,3.38,0,0,0,6.73.36V70.9C189,60.46,187.13,54,175.56,54c-6.13,0-9.84,2.93-12.77,7.68C161.5,58.91,158.74,54,150,54c-6.65,0-9.76,3.71-11.57,7.68h-.17c0-1.26,0-2.52-.1-3.77a3.21,3.21,0,0,0-6.34.55c.1,1.86.22,3.9.22,6.15V91.8a3.38,3.38,0,0,0,6.74.34V75.73c0-9.23,1.91-15.54,10.62-15.54,5.52,0,7.76,3.45,7.76,12.34V91.81a3.38,3.38,0,0,0,6.73.33v-20c0-7.25,4.75-11.91,10.44-11.91,7.85,0,7.94,5.44,7.94,11Z"/>
+    <path class="cls-1" d="M245,91.73a3.38,3.38,0,0,0,6.73.36V70.9c0-10.44-1.91-16.91-13.47-16.91-6.13,0-9.84,2.93-12.77,7.68C224.2,58.91,221.44,54,212.73,54c-6.65,0-9.76,3.71-11.58,7.68H201c0-1.26,0-2.52-.1-3.77a3.21,3.21,0,0,0-6.34.55c.1,1.86.22,3.9.22,6.15V91.8a3.38,3.38,0,0,0,6.74.34V75.73c0-9.23,1.91-15.54,10.62-15.54,5.52,0,7.76,3.45,7.76,12.34V91.81a3.38,3.38,0,0,0,6.73.33v-20c0-7.25,4.75-11.91,10.44-11.91,7.85,0,7.94,5.44,7.94,11Z"/>
+    <path class="cls-1" d="M70.05,86.22c-2.07,5.84-4,8.57-8.38,8.57-.43,0-1.9-.09-2-.1a3.07,3.07,0,0,0-1,6,20.2,20.2,0,0,0,3.44.28c8.1,0,10.78-4.67,13.46-11.48L91.38,50.08A3.39,3.39,0,0,0,85,47.88L73.85,77.24h-.17L62,47.66a3.59,3.59,0,0,0-6.66,2.65Z"/>
+    <path class="cls-1" d="M126.07,91.54c-.08-1-.14-2.15-.14-3.12V71.07c0-11.39-5-17.08-16.91-17.08A23.52,23.52,0,0,0,95.5,58.07a3.13,3.13,0,0,0,4,4.79,19.12,19.12,0,0,1,9.69-2.66c6.3,0,10,3,10,8.89V70.3h-2.59c-9.92,0-25.46.77-25.46,14.15,0,7.85,6.82,12,15,12a15.26,15.26,0,0,0,13.29-7.07h.18c0,.91,0,2,.08,3.18a3.22,3.22,0,0,0,6.35-1Zm-6.87-13c-.17,6.56-4.14,12.17-11.91,12.17-5.09,0-8.89-1.9-8.89-7,0-5.44,5.52-7.77,14.07-7.77h6.73Z"/>
+    <path class="cls-1" d="M308.24,58a3.24,3.24,0,0,0-6.37-.12c.1,2,.25,4.27.25,6.75V92.08a3.37,3.37,0,0,0,6.73-.36v-16c0-9.23,3.62-15,11.82-15,.39,0,.93,0,1.33.07a3.4,3.4,0,0,0,.09-6.81h0c-6.9.08-11.8,3.77-13.58,7.69h-.17c0-1.24,0-2.48-.1-3.7"/>
+    <path class="cls-1" d="M296.91,72.48c-.91-11.84-8.4-18.65-19.06-18.65-11.91,0-20.71,8.71-20.71,21.23,0,11.73,7.76,21.23,20.45,21.23,6.06,0,10.93-1.49,15.09-5.29a3.14,3.14,0,0,0-3.94-4.83,15.27,15.27,0,0,1-10.82,4c-8.54,0-13.71-5.19-14-13l29.76,0a3.6,3.6,0,0,0,1.68-.3,2.72,2.72,0,0,0,1.52-2A21.05,21.05,0,0,0,296.91,72.48Zm-32.94-1c1-7.08,5.81-11.79,13.59-11.79s12.56,4.72,13,11.79Z"/>
+  </g>
+</svg>
diff --git a/education/images/education-pro-usb.svg b/education/images/education-pro-usb.svg
new file mode 100644
index 0000000000..37f83e26da
--- /dev/null
+++ b/education/images/education-pro-usb.svg
@@ -0,0 +1,111 @@
+<svg id="ICONS" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 400 140">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #2b6dcf;
+      }
+
+      .cls-2 {
+        fill: #9273b6;
+        fill-rule: evenodd;
+      }
+
+      .cls-3 {
+        fill: #221f1f;
+      }
+
+      .cls-4 {
+        fill: #80bceb;
+      }
+
+      .cls-5 {
+        fill: #939598;
+      }
+
+      .cls-6 {
+        fill: #414042;
+      }
+
+      .cls-7 {
+        fill: #6d6e71;
+      }
+
+      .cls-8 {
+        fill: #bcbec0;
+      }
+
+      .cls-9 {
+        fill: #bad80a;
+      }
+
+      .cls-10 {
+        fill: #aad2f2;
+      }
+
+      .cls-11, .cls-12 {
+        fill: none;
+        stroke-miterlimit: 10;
+        stroke-width: 2px;
+      }
+
+      .cls-11 {
+        stroke: #414042;
+        stroke-linecap: round;
+      }
+
+      .cls-12 {
+        stroke: #808285;
+      }
+
+      .cls-13 {
+        fill: #808285;
+      }
+
+      .cls-14 {
+        fill: #2b8fde;
+      }
+    </style>
+  </defs>
+  <title>education-pro-usb</title>
+  <path class="cls-1" d="M99.47,73.06A1.4,1.4,0,0,0,98,71.65l-5.79-.72A22.51,22.51,0,0,0,91.5,67l4.69-3.19A1.51,1.51,0,0,0,97,61.75l-1.51-3.49a1.3,1.3,0,0,0-1.87-.58L87.85,59,85.93,56l3.22-4.62a1.56,1.56,0,0,0-.05-2.06l-2.94-2.84a1.86,1.86,0,0,0-2.07.05L79.6,49.89c-1-.6-2.29-1.4-3.33-2l1.13-5.81a1.41,1.41,0,0,0-.85-1.64L73,39.07a1.32,1.32,0,0,0-1.86.65l-3,5.23a11.81,11.81,0,0,0-3.73-.76l-.93-5.76A1.42,1.42,0,0,0,62,37l-3.92.29c-.63-.19-1.24.44-1.43,1.06l-.92,6a12.34,12.34,0,0,0-3.7.89l-3.2-5.09A2.09,2.09,0,0,0,47,39.57L43.29,41.3a1.42,1.42,0,0,0-.8,1.66L44,48.51c-1,.64-2,1.69-3.05,2.34l-4.82-3.42a1.26,1.26,0,0,0-1.66.08,1,1,0,0,0-.19.16l-1.69,1.75-.94,1,0,0a1.33,1.33,0,0,0-.15,1.83l3.6,4.68a17.53,17.53,0,0,0-2.21,3.56L27.09,59A1.82,1.82,0,0,0,25.25,60l-1.38,3.54a1.78,1.78,0,0,0,.87,2.05l5,2.79c-.4,1.25-.37,2.49-.77,3.74l-5.76.94A1.81,1.81,0,0,0,22,74.77l.07,3.71a1.8,1.8,0,0,0,1.27,1.64l6,.51a23.64,23.64,0,0,0,.89,4.11l-5.11,3.19a1.32,1.32,0,0,0-.58,1.88l1.51,3.48a1.94,1.94,0,0,0,1.89,1l5.75-1.76c.64,1,1.28,2,1.92,3.06l-3.43,4.82a2,2,0,0,0,.24,1.85l3,2.83a1.55,1.55,0,0,0,1.85.18l4.7-3.61c1,.61,2.29,1.41,3.33,2l-1.12,5.82a1.39,1.39,0,0,0,.86,1.63l3.74,1.58A1.75,1.75,0,0,0,50.6,112l2.79-5c1.25,0,2.5.36,3.73.34l.73,6a1.81,1.81,0,0,0,1.68,1.2l3.93.14a2.52,2.52,0,0,0,1.41-1.47l.73-5.81c1.44-.23,2.67-.67,4.11-.9l3,4.9a1.42,1.42,0,0,0,1.88.58L78,110.47a1.69,1.69,0,0,0,1-1.88L77.5,103a14.87,14.87,0,0,0,3.06-2.33l4.81,3.42a1.39,1.39,0,0,0,2.07,0l1.79-1.86.63-.66.22-.22a1.44,1.44,0,0,0,.43-1.08,1.39,1.39,0,0,0-.48-1l-3.6-4.7A10.18,10.18,0,0,0,88.64,91l5.82,1.55a1.41,1.41,0,0,0,1.63-.86L97.68,88A2.1,2.1,0,0,0,97,86.13l-5.22-3a10.36,10.36,0,0,0,.55-3.53l6-1.15c.61-.22,1.22-.85,1.22-1.27Zm-31.8,7.61a9,9,0,1,1,1.79-6A9,9,0,0,1,67.67,80.67Z"/>
+  <path class="cls-2" d="M130.63,34.53l-3-.43c-.22-.65-.22-1.3-.43-1.95l2.6-1.51a.79.79,0,0,0,.43-1.08l-.87-1.73c0-.43-.43-.65-.87-.65l-3,.87a4.71,4.71,0,0,0-1.08-1.73l1.73-2.6a.66.66,0,0,0,0-.87l-1.52-1.51a.66.66,0,0,0-.87,0l-2.6,1.73c-.43-.43-1.08-.65-1.52-1.08l.65-3c.22-.22,0-.65-.43-.87l-1.73-.65a1,1,0,0,0-1.08.22l-1.52,2.6c-.65-.22-1.3-.22-2.17-.43l-.43-3a.69.69,0,0,0-.65-.65h-2.17a.69.69,0,0,0-.65.65l-.43,3c-.65.22-1.3.22-1.95.43l-1.52-2.6c-.22-.43-.65-.43-1.08-.43l-1.95.87c-.22,0-.43.43-.43.87l.87,3a4.72,4.72,0,0,0-1.73,1.08l-2.6-1.73a.66.66,0,0,0-.87,0L96.2,22.85a.66.66,0,0,0,0,.87l1.73,2.6c-.43.43-.65,1.08-1.08,1.51l-3-.65c-.22-.22-.65,0-.87.43l-.87,1.73c0,.43,0,.87.43,1.08l2.6,1.51c-.22.65-.22,1.51-.43,2.16l-3,.43a.69.69,0,0,0-.65.65v2.16a.57.57,0,0,0,.65.65l3,.43a6.31,6.31,0,0,0,.43,1.95l-2.6,1.51A.79.79,0,0,0,92.08,43l.87,1.95c0,.22.43.43.87.43l3-.87a4.71,4.71,0,0,0,1.08,1.73l-1.73,2.6a1,1,0,0,0,0,1.08l1.52,1.3c.22.22.65.43.87.22l2.6-1.95a3.88,3.88,0,0,0,1.52,1.08l-.65,3c-.22.22,0,.65.43.87l1.73.87c.43,0,.87,0,1.08-.43l1.52-2.6a6.41,6.41,0,0,0,2.17.43l.43,3a.69.69,0,0,0,.65.65h2.17a.69.69,0,0,0,.65-.65l.43-3a6.33,6.33,0,0,0,1.95-.43l1.52,2.6a.79.79,0,0,0,1.08.43l1.95-.87c.22,0,.43-.43.43-.87l-.87-3a4.72,4.72,0,0,0,1.73-1.08l2.6,1.95c.22.22.65,0,.87-.22l1.52-1.3a1,1,0,0,0,0-1.08l-1.73-2.6a9.16,9.16,0,0,0,1.08-1.51l3,.87a1.16,1.16,0,0,0,.87-.65l.87-1.73c0-.43,0-.87-.43-1.08l-2.6-1.51c.22-.65.22-1.3.43-2.16l3-.43a.57.57,0,0,0,.65-.65V35.18a.69.69,0,0,0-.65-.65Zm-7.15,5a1,1,0,0,1-1.52.65l-5-3.24c-.65-.22-.65-.87,0-1.3l5-3.24a1.12,1.12,0,0,1,1.52.65,15.77,15.77,0,0,1,.43,3.24,13.25,13.25,0,0,1-.43,3.24Zm-1.3-9.73a1,1,0,0,1-.65,1.51l-5.85,1.3c-.65.22-1.08-.22-.87-.87l1.3-5.84c.22-.87.87-1.08,1.52-.65a14.3,14.3,0,0,1,2.6,1.95,14.29,14.29,0,0,1,1.95,2.6Zm-14.29-6.06a12.41,12.41,0,0,1,6.5,0,1,1,0,0,1,.65,1.51l-3.25,5.19c-.43.65-1.08.65-1.3,0l-3.25-5.19a1,1,0,0,1,.65-1.51Zm6.5,12.55a3.25,3.25,0,0,1-6.5,0,3.26,3.26,0,0,1,6.5,0ZM104.64,25a1,1,0,0,1,1.52.65l1.3,5.84c.22.65-.22,1.08-1.08,1.08l-5.63-1.51c-.87-.22-1.08-.87-.65-1.51A7.81,7.81,0,0,1,102,27a14.3,14.3,0,0,1,2.6-1.95ZM98.58,39.29A13.25,13.25,0,0,1,98.15,36a15.77,15.77,0,0,1,.43-3.24.93.93,0,0,1,1.52-.43l5.2,3a.83.83,0,0,1,0,1.51l-5.2,3c-.65.43-1.3.22-1.52-.65Zm1.3,3.46a1,1,0,0,1,.65-1.51l5.85-1.51c.65-.22,1.08.22,1.08,1.08l-1.52,5.84a1.12,1.12,0,0,1-1.52.65,14.3,14.3,0,0,1-2.6-1.95c-1.08-1.3-1.95-2.6-1.95-2.6Zm14.29,5.84a13.29,13.29,0,0,1-3.25.43,15.82,15.82,0,0,1-3.25-.43,1.12,1.12,0,0,1-.65-1.51l3.25-5c.43-.65,1.08-.65,1.3,0l3.25,5c.43.65.22,1.3-.65,1.51Zm3.25-1.3c-.65.43-1.3.22-1.52-.65l-1.3-5.84c-.22-.65.22-1.08,1.08-.87l5.85,1.3a1.12,1.12,0,0,1,.65,1.51,14.29,14.29,0,0,1-1.95,2.6,22.45,22.45,0,0,1-2.82,1.95Z"/>
+  <g>
+    <path class="cls-3" d="M380,125H236.81c-4.71,0-5.81-3-5.81-3H385A5.43,5.43,0,0,1,380,125Z"/>
+    <g>
+      <path class="cls-3" d="M367,120H249a3,3,0,0,1-3-3V19a3,3,0,0,1,3-3H367a3,3,0,0,1,3,3v98A3,3,0,0,1,367,120Z"/>
+      <rect class="cls-4" x="250" y="20" width="116" height="96"/>
+    </g>
+    <polygon class="cls-5" points="385 122 370 107 245.94 107 231 122 385 122"/>
+  </g>
+  <polygon class="cls-3" points="323 119 293 119 294 116 322 116 323 119"/>
+  <g>
+    <polygon class="cls-6" points="217.1 60.08 199.2 42.82 180.82 61.2 200.62 81 217.13 64.49 217.1 60.08"/>
+    <g>
+      <path class="cls-7" d="M197.32,79.89,176.11,58.68l19.8-19.8L217.12,60.1Z"/>
+      <rect class="cls-8" x="184.61" y="46.39" width="24" height="26" transform="translate(15.59 156.42) rotate(-45)"/>
+    </g>
+    <rect class="cls-6" x="193.2" y="48.32" width="4" height="8" transform="translate(94.17 -122.7) rotate(45)"/>
+    <rect class="cls-6" x="201.68" y="56.8" width="4" height="8" transform="translate(102.65 -126.22) rotate(45)"/>
+    <path class="cls-6" d="M209,75,180.35,51.37,140.75,91a6,6,0,0,0,0,8.49l19.8,19.8a6,6,0,0,0,8.49,0L209,80Z"/>
+    <path class="cls-7" d="M181,47,140.75,87a6,6,0,0,0,0,8.49l19.8,19.8a6,6,0,0,0,8.49,0L209,75Z"/>
+    <rect class="cls-9" x="144.07" y="96.43" width="28" height="3" transform="translate(115.54 -83.09) rotate(45)"/>
+    <rect class="cls-9" x="149.73" y="90.77" width="28" height="3" transform="translate(113.2 -88.75) rotate(45)"/>
+  </g>
+  <polygon class="cls-10" points="366 20 366 62 324 20 366 20"/>
+  <rect class="cls-3" x="246" y="104" width="124" height="3"/>
+  <g>
+    <line class="cls-11" x1="220" y1="76" x2="275.66" y2="76"/>
+    <polygon class="cls-6" points="270.02 82.95 268.86 81.71 275 76 268.86 70.29 270.02 69.05 277.5 76 270.02 82.95"/>
+  </g>
+  <g>
+    <path class="cls-12" d="M12,101.14c23.68,36.51,76.75,33.09,105.28-2.29"/>
+    <polygon class="cls-13" points="118.93 107.61 117.23 107.69 116.82 99.32 108.5 100.34 108.29 98.66 118.42 97.41 118.93 107.61"/>
+  </g>
+  <g>
+    <rect class="cls-10" x="280" y="36" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="46" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="56" width="56" height="2"/>
+    <rect class="cls-10" x="280" y="66" width="33" height="2"/>
+  </g>
+  <path class="cls-14" d="M99.47,73.06A1.4,1.4,0,0,0,98,71.65l-5.79-.72A22.51,22.51,0,0,0,91.5,67l4.69-3.19A1.51,1.51,0,0,0,97,61.75l-1.51-3.49a1.3,1.3,0,0,0-1.87-.58L87.85,59,85.93,56l3.22-4.62a1.56,1.56,0,0,0-.05-2.06l-2.94-2.84a1.86,1.86,0,0,0-2.07.05L79.6,49.89c-1-.6-2.29-1.4-3.33-2l1.13-5.81a1.41,1.41,0,0,0-.85-1.64L73,39.07a1.32,1.32,0,0,0-1.86.65l-3,5.23a11.81,11.81,0,0,0-3.73-.76l-.93-5.76A1.42,1.42,0,0,0,62,37l-3.92.29c-.63-.19-1.24.44-1.43,1.06l-.92,6a12.34,12.34,0,0,0-3.7.89l-3.2-5.09A2.09,2.09,0,0,0,47,39.57L43.29,41.3a1.42,1.42,0,0,0-.8,1.66L44,48.51c-1,.64-2,1.69-3.05,2.34l-4.82-3.42a1.26,1.26,0,0,0-1.66.08L55.07,68.07a9,9,0,0,1,12.6,12.6h0l21.56,21.56.63-.66.22-.22a1.44,1.44,0,0,0,.43-1.08,1.39,1.39,0,0,0-.48-1l-3.6-4.7A10.18,10.18,0,0,0,88.64,91l5.82,1.55a1.41,1.41,0,0,0,1.63-.86L97.68,88A2.1,2.1,0,0,0,97,86.13l-5.22-3a10.36,10.36,0,0,0,.55-3.53l6-1.15c.61-.22,1.22-.85,1.22-1.27Z"/>
+</svg>
diff --git a/education/index.md b/education/index.md
index f1dbb98cc3..bb44bf632a 100644
--- a/education/index.md
+++ b/education/index.md
@@ -45,6 +45,24 @@ ms.author: celested
                     </div>
                 </a>
             </li>
+            <li>
+                <a href="/education/windows/test-windows10s-for-edu">
+                    <div class="cardSize">
+                        <div class="cardPadding">
+                            <div class="card">
+                                <div class="cardImageOuter">
+                                    <div class="cardImage">
+                                        <img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="Test Windows 10 S for education" />
+                                    </div>
+                                </div>
+                                <div class="cardText">
+                                    <span class="likeAnH3">Test Windows 10 S for Education</span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </a>
+            </li>
         </ul>
     </div>
     <div class="container">
@@ -215,7 +233,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -234,7 +252,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -377,7 +395,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-ms-teams.svg" alt="Meet Microsoft Teams" />
+                                                        <img src="images/education-ms-teams.svg" alt="Meet Microsoft Teams" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -396,7 +414,7 @@ ms.author: celested
                                             <div class="card">
                                                 <div class="cardImageOuter">
                                                     <div class="cardImage bgdAccent1"> 
-                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                        <img src="images/education-pro-usb.svg" alt="Set up School PCs" />
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
@@ -565,6 +583,91 @@ ms.author: celested
                     </li>
                 </ul>
             </li>
+            <li>
+                <a href="#partner">Partner</a>
+                <ul id="partner">
+                    <li>
+                        <a href="#partner-all"></a>
+                        <ul id="partner-all" class="cardsC">
+                            <li>
+                                <a href="https://www.mepn.com">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-mepn-1.svg" alt="Microsoft Education Partner Network" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Microsoft Education Partner Network</h3>
+                                                    <p>Find out the latest news and announcements for Microsoft Education partners.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.mepn.com/MEPN/AEPHome.aspx">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-aep-2.svg" alt="Authorized Education Partner home page" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Authorized Education Partner (AEP) home page</h3>
+                                                    <p>Access the essentials and find out what it takes to become an AEP.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.mepn.com/MEPN/AEPSearch.aspx">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-directory-3.svg" alt="Authorized Education Partner directory" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Authorized Education Partner directory</h3>
+                                                    <p>Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://www.yammer.com/mepn/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="images/education-partner-yammer.svg" alt="Education Partner community Yammer group" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Education Partner community Yammer group</h3>
+                                                    <p>Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+            </li>
         </ul>
     </div>
 </div>
\ No newline at end of file
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index a121e92d2e..30aa3f0ba5 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -12,9 +12,11 @@
 ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
 ### [Take a Test app technical reference](take-a-test-app-technical.md)
 ## [Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
-## [Get Minecraft Education Edition](get-minecraft-for-education.md)
+## [Get Minecraft: Education Edition](get-minecraft-for-education.md)
 ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
 ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
+### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md)
+## [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)
 ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
 ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
 ## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 8cce637c8d..bcbb474550 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -8,13 +8,28 @@ ms.sitesec: library
 ms.pagetype: edu
 author: CelesteDG
 ms.author: celested
-ms.date: 06/19/2017
+ms.date: 08/01/2017
 ---
 
 # Change history for Windows 10 for Education
 
 This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
 
+## August 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
+| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
+
+## July 2017
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md)  | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
+| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index f88c07f4b1..94d98ad536 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu, devices
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 4cbabcfdff..c7c048afcb 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -4,7 +4,9 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons
 keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.prod: w10
+ms.pagetype: edu
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ms.date: 06/19/2017
@@ -16,7 +18,7 @@ ms.date: 06/19/2017
 -   Windows 10
 
 
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
 
 We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 70f71c103a..677ecadbb9 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: edu
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 6c6ecf4977..e83be61c46 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: edu
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: craigash
 ms.author: celested
 ---
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 7d76300a59..b6da8e4c04 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,7 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, as
 keywords: Windows 10 deployment, recommendations, privacy settings, school
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ms.date: 06/19/2017
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 25070b6aa8..4a2fc0fdf9 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -5,7 +5,9 @@ keywords: school, Microsoft Store for Education, Microsoft education store
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
+searchScope:
+  - Store
 author: trudyha
 ms.author: trudyha
 ---
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
new file mode 100644
index 0000000000..5fe066fdea
--- /dev/null
+++ b/education/windows/get-minecraft-device-promotion.md
@@ -0,0 +1,74 @@
+---
+title: Get Minecraft Education Edition with your Windows 10 device promotion
+description: Windows 10 device promotion for Minecraft Education Edition licenses
+keywords: school, Minecraft, education edition
+ms.prod: W10
+ms.mktglfcycl: plan
+ms.sitesec: library
+ms.localizationpriority: high
+author: trudyha
+searchScope:
+  - Store
+ms.author: trudyha
+ms.date: 06/29/2017
+---
+
+# Get Minecraft: Education Edition with Windows 10 device promotion
+
+**Applies to:**
+
+-   Windows 10  
+
+For qualifying customers, receive a one-year, single-user subscription for Minecraft: Education Edition for each Windows 10 device you purchase for your K-12 school. You’ll need your invoice or receipt, so be sure to keep track of that. For more information including terms of use, see [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html). 
+
+## Requirements
+- Qualified Educational Users in K-12 education institutions
+- Windows 10 devices purchased from May 2, 2017 - January 31, 2018
+- Redeem Minecraft: Education Edition licenses from July 1, 2017 - March 17, 2018
+- Microsoft Store for Education admin must submit request for Minecraft: Education Edition licenses
+- Proof of device purchase is required (invoice required) 
+
+Full details available at [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html). 
+
+## Redeem Minecraft: Education Edition licenses
+Redeeming your licenses takes just a few steps:
+- Visit the device promotion page
+- Submit a device purchase statement
+- Provide proof of your device purchase
+
+After that, we’ll add the appropriate number of Minecraft: Education Edition licenses to your product inventory in **Microsoft Store for Education** as **Minecraft: Education Edition [subscription]**.
+
+**To redeem Minecraft: Education Edition licenses**
+1. Visit [Minecraft: Education Edition and Windows 10 device promotion](https://educationstore.microsoft.com/store/mee-device-promo?setflight=wsfb_devicepromo) in **Microsoft Store for Education**. 
+
+     ![Minecraft: Education Edition page in Microsoft Store for Education. ](images/get-mcee-promo.png)
+     
+2. Sign in to **Microsoft Store for Education** using a school account. If you don’t have one, we’ll help you set one up. <br>
+-or-
+
+    If you're already signed in to Microsoft Store for Education, the device special offer is available on **Benefits**. </br> 
+    Click **Manage**, **Benefits**, and then click **Minecraft: Education Edition Device Promotion**.
+    
+3. **On Minecraft Windows 10 device special offer**, click **Submit a device purchase**. 
+
+    ![Windows 10 device special offer page for Minecraft: Education Edition. Submit a device purchase is highlighted to show customers how to submit info about the devices you purchased. ](images/mcee-benefits.png)
+    
+4. Provide info for **Proof of Purchase**. Be sure to include a .pdf or .jpg of your invoice, and then click **Next**.
+
+    > [!NOTE]
+    > Your one-year subscription starts when you submit your proof-of-purchase info. Be sure to submit your request when you'll be using licenses in the classroom. 
+
+    ![Proof of purchase page with Invoice area highlighted.](images/proof-of-purchase.png)
+
+5. Accept the **Promotion Terms of use**, and then click **Submit**. </br>
+    
+    Success look like this!
+    
+    ![Proof of purchase page with Invoice area highlighted.](images/msfe-device-promo-success.png)
+      
+6. Click **Actions** and then click **Manage** to go to the management page for **Minecraft: Education Edition** and distribute licenses.   
+
+## Distribute Minecraft: Education Edition licenses      
+Teachers or admins can distribute the licenses:
+- [Learn how teachers can distribute **Minecraft: Education Edition**](teacher-get-minecraft.md#distribute-minecraft)
+- [Learn how IT administrators can distribute **Minecraft: Education Edition**](school-get-minecraft.md#distribute-minecraft)
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 036d1cf2b7..172533af8e 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -5,8 +5,10 @@ keywords: school, Minecraft, education edition
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/images/get-mcee-promo.png b/education/windows/images/get-mcee-promo.png
new file mode 100644
index 0000000000..823631367d
Binary files /dev/null and b/education/windows/images/get-mcee-promo.png differ
diff --git a/education/windows/images/mcee-benefits.png b/education/windows/images/mcee-benefits.png
new file mode 100644
index 0000000000..96d0287718
Binary files /dev/null and b/education/windows/images/mcee-benefits.png differ
diff --git a/education/windows/images/msfe-device-promo-success.png b/education/windows/images/msfe-device-promo-success.png
new file mode 100644
index 0000000000..590a488c11
Binary files /dev/null and b/education/windows/images/msfe-device-promo-success.png differ
diff --git a/education/windows/images/proof-of-purchase.png b/education/windows/images/proof-of-purchase.png
new file mode 100644
index 0000000000..dd78d6329d
Binary files /dev/null and b/education/windows/images/proof-of-purchase.png differ
diff --git a/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG
new file mode 100644
index 0000000000..22df144bdc
Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_summary_073117.PNG b/education/windows/images/suspc_createpackage_summary_073117.PNG
new file mode 100644
index 0000000000..c0e4b04723
Binary files /dev/null and b/education/windows/images/suspc_createpackage_summary_073117.PNG differ
diff --git a/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG
new file mode 100644
index 0000000000..4a4ec886a5
Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatestpage_073117.PNG differ
diff --git a/education/windows/index.md b/education/windows/index.md
index 33b03ce19c..e84bfe7051 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
@@ -40,10 +40,10 @@ ms.author: celested
 
 ## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
 
-<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p><p>
+<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
 <p><b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
 <p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
-<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
+<p><b>[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)</b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
 
 ## ![Switch to Windows 10 for Education](images/windows.png) Switch
 
@@ -65,3 +65,7 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
 ## Related topics
 - [Microsoft Education documentation and resources](https://docs.microsoft.com/education)
 - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
+
+<!--
+<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
+-->
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 66feebb077..572ace9f5f 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -5,8 +5,10 @@ keywords: Minecraft, Education Edition, IT admins, acquire
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 120247f9d3..89cd5cab6a 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index d33c9d5620..b85706e38d 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -5,7 +5,7 @@ keywords: school, student PC setup, Windows Configuration Designer
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 32d966f479..660b765246 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -2,10 +2,11 @@
 title: Provision student PCs with apps
 description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
 keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
-ms.prod: W10
+ms.prod: w10
+ms.pagetype: edu
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index 00647deb81..1498a9f5a3 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md
index 1619f08a9a..5e73aec703 100644
--- a/education/windows/switch-to-pro-education.md
+++ b/education/windows/switch-to-pro-education.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 5da7470ad4..5aea9119f6 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -6,9 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
+ms.date: 07/28/2017
 ---
 
 # Take a Test app technical reference 
@@ -74,6 +75,26 @@ When Take a Test is running, the following functionality is available to student
     - Ctrl+Alt+Del 
     - Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
 
+## Policies
+
+If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
+
+**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
+**Group Policy name:** Do not display the lock screen <br />
+**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
+**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
+ 
+```
+<policy name="CPL_Personalization_NoLockScreen" class="Machine"
+        displayName="$(string.CPL_Personalization_NoLockScreen)"
+        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
+        key="Software\Policies\Microsoft\Windows\Personalization"
+        valueName="NoLockScreen">
+  <parentCategory ref="Personalization" />
+  <supportedOn ref="windows:SUPPORTED_Windows8" />
+</policy>
+```
+
 
 ## Learn more
 
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index ba5ffb4d9d..64fbb7095c 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 71827e3366..b21ff39bef 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 94b00c53fa..9f2282eb80 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index fb8d30ef6f..4873c007c6 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -5,8 +5,10 @@ keywords: school, Minecraft, Education Edition, educators, teachers, acquire, di
 ms.prod: W10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: trudyha
+searchScope:
+  - Store
 ms.author: trudyha
 ---
 
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
new file mode 100644
index 0000000000..f87cebbbdd
--- /dev/null
+++ b/education/windows/test-windows10s-for-edu.md
@@ -0,0 +1,242 @@
+---
+title: Test Windows 10 S on existing Windows 10 education devices
+description: Provides guidance on downloading and testing Windows 10 S for existing Windows 10 education devices.
+keywords: Windows 10 S, try, download, school, education, Windows 10 S installer, existing Windows 10 education devices
+ms.mktglfcycl: deploy
+ms.prod: w10
+ms.pagetype: edu
+ms.sitesec: library
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 08/04/2017
+---
+
+# Test Windows 10 S on existing Windows 10 education devices
+
+**Applies to:**
+- Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise
+
+The Windows 10 S self-installer will allow you to test Windows 10 S on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license<sup>[1](#footnote1)</sup>. Please test Windows 10 S on a variety of devices in your school and share your feedback with us.
+
+Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education<sup>[2](#footnote2)</sup>.
+
+Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
+
+**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). 
+
+**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store. 
+
+As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
+
+## Before you install Windows 10 S
+
+### Important information
+
+Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
+* Is intended for education customers to test compatibility with existing hardware
+* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
+* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
+* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 S is limited to Store apps only
+
+    > [!WARNING]
+    > You can install Windows 10 S on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 S on Windows 10 Home devices as you won't be able to activate it.
+
+* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
+
+Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
+
+Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
+* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
+
+    See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+
+* Install the latest Windows Update.
+
+    To do this, go to **Settings > Update & security > Windows Update**.
+
+* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 S.
+
+    See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this.
+
+## Supported devices
+
+The Windows 10 S install will install and activate on the following editions of Windows 10 in use by schools:
+* Windows 10 Pro
+* Windows 10 Pro Education
+* Windows 10 Education
+* Windows 10 Enterprise
+
+Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 S installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 S installer. 
+
+### Preparing your device to install drivers
+
+Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 S.
+
+### Supported devices and drivers
+
+Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer. 
+
+<!--
+|   |   |   |
+| - | - | - |
+| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
+| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
+| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
+| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
+| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
+| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
+| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
+| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
+| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
+-->
+
+|   |   |   |
+| - | - | - |
+| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
+| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
+| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> |
+| <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
+| <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> |
+| <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> |
+| <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> |
+| <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> |
+| <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
+
+
+> [!NOTE]
+> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in future.
+
+<!--
+* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
+
+If you don't see your manufacturer or device model listed, you can still proceed and provide feedback, but be aware that you may not be able to get support from your device manufacturer to install Windows 10 S and you may experience limited or incomplete functionality on Windows features, device hardware, peripherals, and others.
+-->
+
+## Kept files
+
+Back up all your data before installing Windows 10 S. Only personal files may be kept during installation. Your settings and apps will be deleted.
+
+> [!NOTE]
+> All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later.
+
+## Domain join
+
+Windows 10 S does not support non-Azure Active Directory domain accounts. Before installing Windows 10 S, you must have at least one of these administrator accounts:
+- Local administrator
+- Microsoft Account (MSA) administrator
+- Azure Active Directory administrator 
+
+> [!WARNING]
+> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 S. 
+
+We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 S in case you run into this issue.
+
+## Installing Office applications
+
+After installing Windows 10 S, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 S (Education preview). You must have an Office license to activate the applications once they are installed.
+
+
+## Switch to previously installed Windows 10 editions
+
+If Windows 10 S is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
+* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
+* If you try Windows 10 S and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
+
+## Device recovery
+
+Before installing Windows 10 S, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 S.
+
+### Create a recovery drive 
+To create a recovery drive, follow these steps.
+
+1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
+2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
+3. Connect a USB drive to your PC, select it, and then select **Next > Create**. 
+
+    A lot of files need to be copied to the recovery drive so this might take a while.
+
+4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
+
+### Go back to your previous edition of Windows 10
+
+Alternatively, for a period of 10 days after you install Windows 10 S, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**.
+
+To go back, you need to:
+* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
+* Remove any user accounts you added after the upgrade.
+
+If going back is not available:
+* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
+* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+
+### Use installation media to reinstall Windows 10
+
+> [!WARNING]
+> This will remove all your personal files, apps, and installed drivers. apps and customizations from your PC manufacturer, and changes you made to **Settings**.
+
+To use an installation media to reinstall Windows 10, follow these steps.
+
+1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
+2. Download the Media Creation Tool and then run it.
+3. Select **Create installation media for another PC**.
+4. Choose a language, edition, and architecture (64-bit or 32-bit).
+5. Follow the steps to create an installation media and then select **Finish**.
+6. Connect the installation media that you created to your non-functional PC, and then turn it on.
+7. On the initial setup screen, enter your language and other preferences, and then select **Next**.
+
+    If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
+
+8. Select **Install now**.
+9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
+10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
+11. On the **Which type of installation do you want?** page, select **Custom**.
+12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
+13. When you're done formatting, select **Next**.
+14. Follow the rest of the setup instructions to finish installing Windows 10.
+
+## Download Windows 10 S
+Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. 
+
+When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
+
+> [!div class="nextstepaction" style="center"]
+> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
+
+After you install Windows 10 S, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
+
+## Terms and Conditions
+Because you’re installing Windows 10 S on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
+
+## Support 
+Thank you for testing Windows 10 S. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 S on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 S, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 S with your feedback. 
+
+Common support questions for the Windows 10 S test program:
+
+* **How do I activate if I don't have a Windows 10 S product key?**
+
+    As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 S and it will automatically activate. Testing Windows 10 S on a device running Windows 10 Home is not recommended and supported at this time.
+
+* **Will my OEM help me run Windows 10 S?**
+
+    OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 S. When testing Windows 10 S, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
+
+* **What happens when I run Reset or Fresh Start on Windows 10 S?**
+
+    **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 S. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 S.
+
+* **What if I want to move from Windows 10 S to Windows 10 Pro?**
+
+    If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, ther emay be a cost to acquire a Windows 10 Pro license in the Store.
+
+For help with activation issues, click on the appropriate link below for support options.
+* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.
+* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/en-us/contactus/) website and choose a support option.
+
+
+<p>
+<a name="footnote1"></a><sup>1</sup> <small>Internet access fees may apply.</small><br/>
+<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.</small><br/>
+
+</p>
+
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index bfc4179cfa..21e94929b9 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -6,10 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
-ms.date: 06/26/2017
+ms.date: 08/01/2017
 ---
 
 # Use the Set up School PCs app 
@@ -19,8 +19,6 @@ ms.date: 06/26/2017
 
 IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
 
-![Set up School PCs app](images/suspc_getstarted_050817.png)
-
 ## What does this app do?
 
 Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
@@ -41,6 +39,14 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
 - Uninstalls apps not specific to education, such as Solitaire
 - Prevents students from adding personal Microsoft accounts to the PC
 
+You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide. </br>
+
+<center><iframe src="https://www.youtube.com/embed/2ZLup_-PhkA" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
+<!--
+<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/2ZLup_-PhkA?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
+-->
+You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
+
 ## Tips for success
 
 * **Run the same Windows 10 build on the admin device and the student PCs**
@@ -113,7 +119,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
   ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
 
 2. Click **Get started**.
-3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
+3. <a name="suspc_signin"></a>To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
 
   To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
 
@@ -134,7 +140,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     5. Click **Next**.
   
-4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
+4. <a name="suspc_wireless"></a>To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
   1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. 
   2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
 
@@ -146,7 +152,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
     ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
 
-5. To assign a name to the student PCs, in the **Name these devices** page:
+5. <a name="suspc_devicename"></a>To assign a name to the student PCs, in the **Name these devices** page:
   1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. 
   
     > [!NOTE]  
@@ -156,7 +162,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
   2. Click **Next**.
 
-6. To specify other settings for the student PC, in the **Configure student PC settings** page:
+6. <a name="suspc_settings"></a>To specify other settings for the student PC, in the **Configure student PC settings** page:
   - Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
 
       > [!NOTE]  
@@ -180,44 +186,45 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
  When you're doing configuring the student PC settings, click **Next**.
 
-7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
-  1. Enter the assessment URL.
+7. <a name="suspc_takeatest"></a>If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+  1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
   2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
+  3. Enter the assessment URL.
 
-    If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+    You can leave the URL blank so that students can enter one later. This enables teachers to use the the Take a Test account for daily quizzes or tests by having students manually enter a URL.
 
     **Figure 5** - Configure the Take a Test app
 
-    ![Configure the Take a Test app](images/suspc_createpackage_takeatest.png)
+    ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png)
 
   3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
 
-8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
+8. <a name="suspc_recommendedapps"></a>In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
   * **Office 365 for Windows 10 S (Education Preview)** 
     * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
     * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
   * **Minecraft: Education Edition** - Free trial 
   * Popular **STEM and Makerspace apps**
 
-  1. Select the apps that you would like to provision and then click **Next** when you're done.
+  1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
   2. Click **Skip** if you don't want to provision any apps.
 
-  **Figure 6** - Select from a set of recommended Microsoft Store apps
+  **Figure 6** - Select from a set of recommended apps
 
-  ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png)
+  ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png)
     
   The set of recommended Microsoft Store for Education apps may vary from what we show here.
 
-9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
+9. <a name="suspc_packagesummary"></a>In the **Review package summary** page, make sure that all the settings you configured appear correctly.
   1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
 
       **Figure 7** - Review your settings and change them as needed
 
-      ![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
+      ![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png)
 
   2. Click **Accept**.
 
-10. In the **Insert a USB drive now** page:
+10. <a name="suspc_savepackage"></a>In the **Insert a USB drive now** page:
   1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
   2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
   3. Click **Save** to save the provisioning package to the USB drive.
@@ -232,7 +239,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
 
   ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
 
-12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
+12. <a name="suspc_getpcsready"></a>Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. 
 
   **Figure 10** - Line up the student PCs and get them ready for setup
 
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index f25dbdafb2..1b6b32c8a9 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu
-localizationpriority: high
+ms.localizationpriority: high
 author: CelesteDG
 ms.author: celested
 ---
@@ -27,7 +27,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
 
 Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
 
-For Cortana<sup>1</sup>,
+For Cortana<sup>[1](#footnote1)</sup>,
 - If you're using version 1607, Cortana is removed.
 - If you're using new devices with version 1703, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703, Cortana will be enabled. 
@@ -60,7 +60,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
 For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
 
 ## Related topics
-* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
+* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
 * [Windows deployment for education](http://aka.ms/edudeploy)
 * [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
 * [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
@@ -69,4 +69,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
 
 
 
-<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
+<a name="footnote1"></a><sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index 20edf8efe4..567bc31c42 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -288,9 +288,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc
         <td align="left"><p><code>Sourcepath = &quot;\\Server\Office2016”</code></p></td>
         </tr>
         <tr class="even">
-        <td align="left"><p>Branch (attribute of Add element)</p></td>
-        <td align="left"><p>Optional. Specifies the update branch for the product that you want to download or install. </p><p>For more information about update branches, see Overview of update branches for Office 365 ProPlus.</p></td>
-        <td align="left"><p><code>Branch = "Business"</code></p></td>
+        <td align="left"><p>Channel (attribute of Add element)</p></td>
+        <td align="left"><p>Optional. Specifies the update channel for the product that you want to download or install. </p><p>For more information about update channels, see Overview of update channels for Office 365 ProPlus.</p></td>
+        <td align="left"><p><code>Channel="Deferred"</code></p></td>
         </tr>
         </tbody>
         </table>
diff --git a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
index bfe000fee3..574338d185 100644
--- a/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
+++ b/mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
@@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
         [ SMS_Report (TRUE) ]
         Boolean     IsAutoUnlockEnabled;
     };
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
 
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [ SMS_Report (TRUE),
       SMS_Group_Name ("BitLocker Encryption Details"),
       SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
         string    EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [ SMS_Report(TRUE),
       SMS_Group_Name("BitLocker Policy"),
       SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Operating System Ex"),
       SMS_Class_ID   ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
     };
 
     //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
-#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2\\SMS")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [ SMS_Report     (TRUE),
       SMS_Group_Name ("Computer System Ex"),
       SMS_Class_ID   ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index 832f226de7..bef23c5b02 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     //===================================================
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
@@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
@@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [DYNPROPS]
     Class Win32Reg_MBAMPolicy_64
     {
@@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+    #pragma namespace ("\\\\.\\root\\cimv2")
+    #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
index 78d2526dde..bb53d965cc 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
@@ -69,30 +69,27 @@ The following diagram and table describe the recommended high-level architecture
 
 ![mbam2\-5](images/mbam2-5-cmserver.png)
 
-Server
-Features to configure on this server
-Description
-Database Server
+### Database Server
 
-Recovery Database
+#### Recovery Database
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Recovery Database** stores recovery data that is collected from MBAM Client computers.
 
-Audit Database
+#### Audit Database
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Audit Database** stores audit activity data that is collected from client computers that have accessed recovery data.
 
-Reports
+#### Reports
 
 This feature is configured on a computer running Windows Server and supported SQL Server instance.
 
 The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services.
 
-Configuration Manager Primary Site Server
+### Configuration Manager Primary Site Server
 
 System Center Configuration Manager Integration feature
 
@@ -104,9 +101,9 @@ System Center Configuration Manager Integration feature
 
 -   The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software.
 
-Administration and Monitoring Server
+### Administration and Monitoring Server
 
-Administration and Monitoring Website
+#### Administration and Monitoring Website
 
 This feature is configured on a computer running Windows Server.
 
@@ -116,13 +113,13 @@ The **Administration and Monitoring Website** is used to:
 
 -   View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console.
 
-Self-Service Portal
+#### Self-Service Portal
 
 This feature is configured on a computer running Windows Server.
 
 The **Self-Service Portal** is a website that enables end users on client computers to independently log on to a website to get a recovery key if they lose or forget their BitLocker password.
 
-Monitoring web services for this website
+#### Monitoring web services for this website
 
 This feature is installed on a computer running Windows Server.
 
@@ -133,9 +130,9 @@ The Monitoring Web Service is no longer available in Microsoft BitLocker Adminis
 
  
 
-Management Workstation
+### Management Workstation
 
-MBAM Group Policy Templates
+#### MBAM Group Policy Templates
 
 -   The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption.
 
@@ -146,9 +143,9 @@ MBAM Group Policy Templates
 
      
 
-MBAM Client and Configuration Manager Client computer
+### MBAM Client and Configuration Manager Client computer
 
-MBAM Client software
+#### MBAM Client software
 
 The **MBAM Client**:
 
@@ -158,7 +155,7 @@ The **MBAM Client**:
 
 -   Collects recovery information and computer information about the client computers.
 
-Configuration Manager Client
+#### Configuration Manager Client
 
 The **Configuration Manager Client** enables Configuration Manager to collect hardware compatibility data about the client computers and report compliance information.
 
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index 5c94f5c77b..791868131d 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -20,7 +20,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 **How to download and deploy the MDOP Group Policy templates**
 
-1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=54957) 
+1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
 
 2.  Run the downloaded file to extract the template folders.
 
diff --git a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
index d6b256689e..51c1b74957 100644
--- a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
+++ b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
@@ -27,7 +27,7 @@ ADMX files can be installed and tested locally on any computer that runs the Win
 
 **To download the UE-V ADMX templates**
 
-1.  Download the UE-V ADMX template files: <https://go.microsoft.com/fwlink/p/?LinkId=393941>.
+1.  Download the UE-V ADMX template files: <https://www.microsoft.com/en-us/download/details.aspx?id=55531>.
 
 2.  For more information about how to deploy the Group Policy templates, see <https://go.microsoft.com/fwlink/p/?LinkId=393944>.
 
diff --git a/microsoft-365/TOC.md b/microsoft-365/TOC.md
new file mode 100644
index 0000000000..06913f7aef
--- /dev/null
+++ b/microsoft-365/TOC.md
@@ -0,0 +1 @@
+# [Index](index.md)
\ No newline at end of file
diff --git a/microsoft-365/docfx.json b/microsoft-365/docfx.json
new file mode 100644
index 0000000000..585130e915
--- /dev/null
+++ b/microsoft-365/docfx.json
@@ -0,0 +1,37 @@
+{
+  "build": {
+    "content": [
+      {
+        "files": [
+          "**/*.md"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**",
+          "README.md",
+          "LICENSE",
+          "LICENSE-CODE",
+          "ThirdPartyNotices"
+        ]
+      }
+    ],
+    "resource": [
+      {
+        "files": [
+          "**/*.png",
+          "**/*.jpg"
+        ],
+        "exclude": [
+          "**/obj/**",
+          "**/includes/**"
+        ]
+      }
+    ],
+    "overwrite": [],
+    "externalReference": [],
+    "globalMetadata": {},
+    "fileMetadata": {},
+    "template": [],
+    "dest": "microsoft-365"
+  }
+}
\ No newline at end of file
diff --git a/microsoft-365/index.md b/microsoft-365/index.md
new file mode 100644
index 0000000000..9680f85fcc
--- /dev/null
+++ b/microsoft-365/index.md
@@ -0,0 +1,68 @@
+--- 
+layout: HubPage
+hide_bc: true
+author: v-kents
+ms.author: celested
+ms.topic: hub-page
+title: Microsoft 365 Documentation
+description: Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. 
+---
+<div id="main" class="v2">
+    <div class="container">
+        <h1> Microsoft 365 Documentation</h1>
+        <ul class="pivots">
+            <li>
+                <a href="#home"></a>
+                <ul id="home">
+                    <li>
+                        <a href="#home-all"></a>
+                        <ul id="home-all" class="cardsW">
+                            <li class="fullSpan intro">[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
+                            </li>
+                            <li>
+                                <a href="https://docs.microsoft.com/microsoft-365-enterprise/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/hubs/microsoft365/M365-enterprise.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <br />
+                                                    <h3>Microsoft 365 Enterprise</h3>
+                                                    <p>Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                            <li>
+                                <a href="https://docs.microsoft.com/microsoft-365-business/">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1">
+                                                        <img src="/media/hubs/microsoft365/M365-business.svg" alt="" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <br />
+                                                    <h3>Microsoft 365 Business</h3>
+                                                    <p>Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10, and Enterprise Mobility + Security. </p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
+                        </ul>
+                    </li>
+                </ul>
+            </li>
+        </ul>
+    </div>
+</div>
\ No newline at end of file
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 514ff6cfea..0b9807c98b 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -14,12 +14,14 @@
 ### [Assign apps to employees](assign-apps-to-employees.md)
 ### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
 ### [Distribute offline apps](distribute-offline-apps.md)
-## [Manage apps](manage-apps-windows-store-for-business-overview.md)
+## [Manage apps and devices](manage-apps-windows-store-for-business-overview.md)
 ### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md)
 ### [Manage app orders in Microsoft Store for Business and Education](manage-orders-windows-store-for-business.md)
 ### [Manage access to private store](manage-access-to-private-store.md)
 ### [Manage private store settings](manage-private-store-settings.md)
 ### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
+### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
 ## [Device Guard signing portal](device-guard-signing-portal.md)
 ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
 ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
@@ -28,4 +30,5 @@
 ### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
 ## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
 ## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
+## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
 
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md
index a0af9518aa..aa700ada3e 100644
--- a/store-for-business/acquire-apps-windows-store-for-business.md
+++ b/store-for-business/acquire-apps-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Acquire apps in Microsoft Store for Business and Education
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
new file mode 100644
index 0000000000..0f6cc91a16
--- /dev/null
+++ b/store-for-business/add-profile-to-devices.md
@@ -0,0 +1,126 @@
+---
+title: Manage Windows device deployment with Windows AutoPilot Deployment
+description: Add an AutoPilot profile to devices. AutoPilot profiles control what is included in Windows set up experience for your employees. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.author: TrudyHa
+ms.date: 07/05/2107
+ms.localizationpriority: high
+---
+
+# Manage Windows device deployment with Windows AutoPilot Deployment
+
+**Applies to**
+
+-   Windows 10
+
+> [!IMPORTANT]
+> This topic has been updated to reflect the latest functionality, which we are releasing to customers in stages. You may not see all of the options described here until you receive the update.
+
+Windows AutoPilot Deployment Program simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
+
+## What is Windows AutoPilot Deployment Program?
+In Microsoft Store for Business, you can manage devices for your organization and apply an *AutoPilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. 
+
+You can create and apply AutoPilot deployment profiles to these devices. The overall process looks like this. 
+
+![Block diagram with main steps for using AutoPilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png)
+
+Figure 1 - Windows AutoPilot Deployment Program process
+
+AutoPilot deployment profiles have two main parts: default settings that can't be changed, and optional settings that you can include. 
+
+### AutoPilot deployment profiles - default settings
+These settings are configured with all AutoPilot deployment profiles:
+- Skip Cortana, OneDrive, and OEM registration setup pages
+- Automatically setup for work or school
+- Sign in experience with company or school brand 
+
+### AutoPilot deployment profiles - optional settings
+These settings are off by default. You can turn them on for your AutoPilot deployment profiles:
+- Skip privacy settings
+- Disable local admin account creation on the device
+
+## Windows AutoPilot deployment profiles in Microsoft Store for Business and Education
+You can manage new devices in Microsoft Store for Business or Microsoft Store for Education. Devices need to meet these requirements:
+- Windows 10, version 1703 or later
+- New devices that have not been through Windows out-of-box experience. 
+
+## Add devices and apply AutoPilot deployment profile
+To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains specific information about the devices. You should be able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices. 
+
+### Device information file format
+Columns in the device information file need to use this naming and be in this order:
+- Column 1: Device Serial Number
+- Column 2: Windows Product ID 
+- Column 3: Hardware Hash
+
+When you add devices, you need to add them to an *AutoPilot deployment group*. Use these groups to apply AutoPilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an AutoPilot deployment group. 
+
+> [!NOTE]
+> You can only add devices to a group when you add devices to **Microsoft Store for Business and Education**. If you decide to reorganize devices into different groups, you'll need to delete them from **Devices** in **Microsoft Store**, and add them again. 
+
+**Add and group devices**
+1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 
+2. Click **Manage**, and then click **Devices**.
+3. Click **Add devices**, navigate to the *.csv file and select it. 
+4. Type a name for a new AutoPilot deployment group, or choose one from the list, and then click **Add**. </br>
+If you don't add devices to a group, you can select the individual devices to apply a profile to. <br>  
+![Screenshot of Add devices to a group dialog. You can create a new group, or select a current group.](images/add-devices.png)</br>
+ 
+5. Click the devices or AutoPilot deployment group that you want to manage. You need to select devices before you can apply an AutoPilot deployment profile. You can switch between seeing groups or devices by clicking **View groups** or **View devices**. 
+
+**Apply AutoPilot deployment profile**
+1. When you have devices selected, click **AutoPilot deployment**. 
+2. Choose the AutoPilot deployment profile to apply to the selected devices.
+ 
+    > [!NOTE]
+    > The first time you use AutoPilot deployment profiles, you'll need to create one. See [Create AutoPilot profile](#create-autopilot-profile).
+     
+3. Microsoft Store for Business applies the profile to your selected devices, and shows the profile name on **Devices**.
+
+## Manage AutoPilot deployment profiles
+You can manage the AutoPilot deployment profiles created in Microsoft Store. You can create a new profile, edit, or delete a profile. 
+
+### Create AutoPilot profile
+
+1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 
+2. Click **Manage**, and then click **Devices**.
+3. Click **AutoPilot deployment**, and then click **Create new profile**. 
+4. Name the profile, choose the settings to include, and then click **Create**.</br>
+The new profile is added to the **AutoPilot deployment** list.  
+
+### Edit or delete AutoPilot profile
+
+1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 
+2. Click **Manage**, and then click **Devices**.
+3. Click **AutoPilot deployment**, click **Edit your profiles**, and then choose the profile to edit.
+TBD: art
+4. Change settings for the profile, and then click **Save**.</br> 
+-or-</br>
+Click **Delete profile** to delete the profile. 
+
+## Apply a different AutoPilot deployment profile to devices
+After you've applied an AutoPilot deployment profile to a device, if you decide to apply a different profile, you can remove the profile and apply a new profile. 
+
+> [!NOTE]
+> The new profile will only be applied if the device has not been started, and gone through the out-of-box experience. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. 
+
+## AutoPilot device information file error messages
+Here's info on some of the errors you might see while working with AutoPilot deployment profiles in **Microsoft Store for Business and Education**. 
+
+| Message Id | Message explanation | 
+| ---------- | ------------------- |
+| wadp001    | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. |
+| wadp002    | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. |
+| wadp003    | Looks like you need more than one .csv file for your devices. The maximum allowed is 1,000 items. You’re over the limit! Divide this device data into multiple .csv files. |
+| wadp004    | Try that again. Something happened on our end. Waiting a bit might help. |
+| wadp005    | Check your .csv file with your device provider. One of the devices on your list has been claimed by another organization. |
+| wadp006    | Try that again. Something happened on our end. Waiting a bit might help. |
+| wadp007    | Check the info for this device in your .csv file. The device is already registered in your organization. |
+| wadp008    | The device does not meet AutoPilot Deployment requirements. |
+| wadp009    | Check with your device provider for an update .csv file. The current file doesn’t work |
+| wadp010    | Try that again. Something happened on our end. Waiting a bit might help. |
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 46c453edf1..c3c6701559 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Add unsigned app to code integrity policy
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
index 379618509a..062c2dbeef 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-windows-store-for-business.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
+ms.author: TrudyHa
+ms.date: 06/29/2017
 ---
 
 # App inventory management for Microsoft Store for Business and Education
@@ -165,4 +167,16 @@ You can download offline-licensed apps from your inventory. You'll need to downl
 
 For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
 
-For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
\ No newline at end of file
+For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
+
+## Manage products programmatically 
+
+Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business). 
+
+You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to:
+- View items in inventory (**Apps & software**)
+- Manage licenses - assigning and removing
+- Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses
+
+> [!NOTE]
+> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell.  
\ No newline at end of file
diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-windows-store-for-business.md
index 4c037486e6..116d6a33fa 100644
--- a/store-for-business/apps-in-windows-store-for-business.md
+++ b/store-for-business/apps-in-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Apps in Microsoft Store for Business and Education
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index b2c821a77a..ff20b5bbab 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Assign apps to employees
diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md
index 455c12dea0..2074e51990 100644
--- a/store-for-business/configure-mdm-provider-windows-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure an MDM provider
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 4365cacfe3..f2fdf4a8d4 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Device Guard signing
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index f93a4ac288..1b56b97f4b 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps using your private store
diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
index 21a610dc18..dc3de6e6a7 100644
--- a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps to your employees from Microsoft Store for Business and Education
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index befde0855e..557c355557 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute apps with a management tool
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 72078b74da..1d3c0b70b4 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Distribute offline apps
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 9fe69e52a3..accb0bcea0 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -37,6 +37,7 @@
 		"ms.technology": "windows",
 		"ms.topic": "article",
 		"ms.date": "05/09/2017",
+    "searchScope": ["Store"],
 		"_op_documentIdPathDepotMapping": {
 			"./": {
 			  "depot_name": "MSDN.store-for-business"
diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md
index 1c2ebc03b3..52f7890448 100644
--- a/store-for-business/education/TOC.md
+++ b/store-for-business/education/TOC.md
@@ -14,6 +14,7 @@
 ## [Get Minecraft: Education Edition](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
 ### [For teachers: get Minecraft Education Edition](/education/windows/teacher-get-minecraft?toc=/microsoft-store/education/toc.json)
 ### [For IT administrators: get Minecraft Education Edition](/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json)
+### [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-for-education?toc=/microsoft-store/education/toc.json)
 ## [Distribute apps to your employees from the Microsoft Store for Business and Education](/microsoft-store/distribute-apps-to-your-employees-windows-store-for-business?toc=/microsoft-store/education/toc.json)
 ### [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store?toc=/microsoft-store/education/toc.json)
 ### [Assign apps to employees](/microsoft-store/assign-apps-to-employees?toc=/microsoft-store/education/toc.json)
diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md
index fd460d3479..2a4a9e8fba 100644
--- a/store-for-business/find-and-acquire-apps-overview.md
+++ b/store-for-business/find-and-acquire-apps-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Find and acquire apps
diff --git a/store-for-business/images/add-devices.png b/store-for-business/images/add-devices.png
new file mode 100644
index 0000000000..b8f274c600
Binary files /dev/null and b/store-for-business/images/add-devices.png differ
diff --git a/store-for-business/images/autopilot-process.png b/store-for-business/images/autopilot-process.png
new file mode 100644
index 0000000000..491b8c0ef0
Binary files /dev/null and b/store-for-business/images/autopilot-process.png differ
diff --git a/store-for-business/images/lob-sku.png b/store-for-business/images/lob-sku.png
new file mode 100644
index 0000000000..8637fd3f3d
Binary files /dev/null and b/store-for-business/images/lob-sku.png differ
diff --git a/store-for-business/index.md b/store-for-business/index.md
index f8fca9deb1..47bb90b981 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Store for Business and Education
diff --git a/store-for-business/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-windows-store-for-business-overview.md
index 6757e4eecd..e5c6524871 100644
--- a/store-for-business/manage-apps-windows-store-for-business-overview.md
+++ b/store-for-business/manage-apps-windows-store-for-business-overview.md
@@ -1,5 +1,5 @@
 ---
-title: Manage apps in Microsoft Store for Business (Windows 10)
+title: Manage apps and devices in Microsoft Store for Business (Windows 10)
 description: Manage settings and access to apps in Microsoft Store for Business.
 ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
 ms.prod: w10
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage apps in Microsoft Store for Business and Education
@@ -26,4 +26,5 @@ Manage settings and access to apps in Microsoft Store for Business and Microsoft
 | [Manage access to private store](manage-access-to-private-store.md) | You can manage access to your private store in Store for Business. |
 | [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md) | You can manage all apps that you've acquired on your **Apps & software** page. |
 | [Manage private store settings](manage-private-store-settings.md) | The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. |
-| [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
\ No newline at end of file
+| [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) | For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Microsoft Store management tool services work with your third-party management tool to manage content. |
+| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. |
\ No newline at end of file
diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-windows-store-for-business.md
index eb5218d9ec..08da797130 100644
--- a/store-for-business/manage-orders-windows-store-for-business.md
+++ b/store-for-business/manage-orders-windows-store-for-business.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage app orders in Microsoft Store for Business and Education
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 470e99fbed..af833aefb3 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage private store settings
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md
index 906f3174a0..f9592cd92e 100644
--- a/store-for-business/manage-settings-windows-store-for-business.md
+++ b/store-for-business/manage-settings-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage settings for Microsoft Store for Business and Education
diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-windows-store-for-business.md
index f2cc141ca7..eb0834b8b6 100644
--- a/store-for-business/manage-users-and-groups-windows-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage user accounts in Microsoft Store for Business and Education
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
new file mode 100644
index 0000000000..b36cf701fa
--- /dev/null
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -0,0 +1,155 @@
+---
+title: Microsoft Store for Business and Education PowerShell module - preview
+description: Preview version of PowerShell module 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+localizationpriority: high
+ms.author:
+ms.date:  
+---
+
+# Microsoft Store for Business and Education PowerShell module - preview
+
+**Applies to**
+-   Windows 10
+
+Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
+
+> [!NOTE]
+> This is a preview and not intended for production environments. For production environments, continue to use **Microsoft Store for Business and Education** or your MDM tool to manage licenses. The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
+
+You can use the PowerShell module to:
+- View items you've purchased - shown in **Apps & software**
+- Manage licenses - assigning and removing
+- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
+
+>[!NOTE]
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Azure Active Directory Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+
+## Requirements
+To use the Microsoft Store for Business and Education PowerShell module, you'll need:
+- Administrator permission for the device
+- Admin role for Microsoft Store for Business and Education
+
+
+## Get started with Microsoft Store for Business and Education PowerShell module
+All of the **Microsoft Store for Business and Education** PowerShell cmdlets follow the *Verb*-MSStore*Noun* pattern to clearly indicate that they work with **Microsoft Store for Business and Education** PowerShell module. You will need to install the module on your Windows 10 device once and then import it into each PowerShell session you start.
+
+## Install Microsoft Store for Business and Education PowerShell module
+> [!NOTE]
+> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
+
+To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
+
+```powershell
+# Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
+
+Install-Module -Name MSStore 
+
+``` 
+
+## Import MIcrosoft Store for Business and Education PowerShell module into the PowerShell session
+Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start.
+
+```powershell
+# Import the MSStore module into this session
+
+Import-Module -Name MSStore
+
+```
+
+Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module. 
+
+To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant.
+
+```powershell
+# Grant MSStore Access to your Microsoft Store for Business and Education
+
+Grant-MSStoreClientAppAccess
+
+```
+You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
+
+## View items in Products and Services
+Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. 
+
+```powershell
+# View items in inventory (Apps & software)
+
+Get-MSStoreInventory
+
+```
+
+>[!TIP]
+>**Get-MSStoreInventory** won't return the product name for line-of-business apps. To get the product ID and SKU for a line-of-business app:
+>
+>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
+>2. Click **Manage** and then choose **Apps & software**.
+>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
+>![Url after apps/ is product id and next is SKU](images/lob-sku.png)
+
+## View people assigned to a product
+Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
+
+```powershell
+# View products assigned to people
+
+Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
+
+```
+
+> [!Important]
+> Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs.
+ 
+
+| License Type | Product ID | SKU ID |
+| ------------ | -----------| -------|
+| Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 |
+| Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 |
+| Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 |
+| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 |  	 	
+
+## Assign or reclaim products
+Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org. 
+
+These commands assign a product to a user and then reclaim it.
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
+
+```
+
+## Assign or reclaim a product with a .csv file
+You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. 
+
+**To assign or reclaim seats in bulk:**
+
+```powershell
+# Assign Product (Product ID and SKU ID combination) to a User (user@host.com)
+
+Add-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv  -ColumnName UserPrincipalName
+
+# Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
+
+Remove-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
+
+```
+
+## Uninstall Microsoft Store for Business and Education PowerShell module
+You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command. 
+
+```powershell
+# Uninstall the MSStore Module
+
+Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
+
+```
\ No newline at end of file
diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md
index cb657a21ef..0d541ce0d6 100644
--- a/store-for-business/notifications-microsoft-store-business.md
+++ b/store-for-business/notifications-microsoft-store-business.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Notifications in Microsoft Store for Business and Education
diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-windows-store-for-business.md
index c76035ac35..a07a501b9e 100644
--- a/store-for-business/prerequisites-windows-store-for-business.md
+++ b/store-for-business/prerequisites-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Prerequisites for Microsoft Store for Business and Education
diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md
index 7a3cd37936..8b3a7e74a3 100644
--- a/store-for-business/roles-and-permissions-windows-store-for-business.md
+++ b/store-for-business/roles-and-permissions-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Roles and permissions in Microsoft Store for Business and Education
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md
index 08ce28a32e..09fbf09a41 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings reference: Microsoft Store for Business and Education
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
new file mode 100644
index 0000000000..ed0904b3ee
--- /dev/null
+++ b/store-for-business/sfb-change-history.md
@@ -0,0 +1,46 @@
+---
+title: Change history for Microsoft Store for Business and Education
+description: Summary of topic changes for Microsoft Store for Business and Microsoft Store for Education. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.author: TrudyHa
+ms.date: 07/12/2107
+ms.localizationpriority: high
+---
+
+# Change history for Microsoft Store for Business and Microsoft Store for Education  
+
+**Applies to**
+
+-   Windows 10
+-   Windows 10 Mobile
+
+## July 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
+
+
+## June 2017
+| New or changed topic | Description |
+| -------------------- | ----------- |
+| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
+| [Get Minecraft: Education Edition with Windows 10 device promotion](https://docs.microsoft.com/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
+
+## July 2017
+ 
+| New or changed topic | Description |
+| -------------------- | ----------- |
+| [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | New. Information about Windows AutoPilot Deployment Program and how it is used in Microsoft Store for Business and Education.  |
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
+ 
+
+
+
+
+
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index 28adabcee9..09775ac8fe 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, security
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign code integrity policy with Device Guard signing
diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-windows-store-for-business-overview.md
index 8b61671bfe..496e92c40e 100644
--- a/store-for-business/sign-up-windows-store-for-business-overview.md
+++ b/store-for-business/sign-up-windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign up and get started
diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-windows-store-for-business.md
index f716149cbc..cd3f6bd322 100644
--- a/store-for-business/sign-up-windows-store-for-business.md
+++ b/store-for-business/sign-up-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Sign up for Microsoft Store for Business or Microsoft Store for Education
diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-windows-store-for-business.md
index b12f94afae..2443391b42 100644
--- a/store-for-business/troubleshoot-windows-store-for-business.md
+++ b/store-for-business/troubleshoot-windows-store-for-business.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Troubleshoot Microsoft Store for Business
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
index f844b5251a..f88eec0840 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Update Microsoft Store for Business and Microsoft Store for Education account settings
@@ -56,6 +56,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business
 - Lithuania
 - Luxembourg
 - Malta
+- Monaco
 - Netherlands
 - Norway
 - Poland
@@ -74,8 +75,10 @@ These countries can provide their VAT number or local equivalent in **Payments &
 |------|----------------|
 | Australia | ABN (optional) |
 | Brazil | CNPJ (required) |
-| India | CST ID, VAT ID (both are optional) |
+| India | GSTIN (optional), PAN ID (required) |
+| Isle of Man | VAT ID (optional) |
 | New Zealand | GST Registration number (optional) |
+| Monaco | VAT ID (optional) |
 | Taiwan | VAT ID (optional) |
 
 ### Tax-exempt status 
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
index 5bc9195325..0ec624a13e 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -7,7 +7,7 @@ ms.pagetype: store, mobile
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Microsoft Store for Business and Microsoft Store for Education overview
@@ -157,16 +157,20 @@ For more information, see [Manage settings in the Store for Business](manage-set
 
 Microsoft Store for Business and Education is currently available in these markets.
 
-### Support for free and paid apps
+### Support for free and paid products
 <table>
    <tr>
-        <th align="center" colspan="4">Support for free and paid apps</th>
+        <th align="center" colspan="4">Supports all free and paid products</th>
    </tr>
    <tr align="left">
      <td>
         <ul>
+            <li>Afghanistan</li>
             <li>Algeria</li>
+            <li>Andorra</li>
             <li>Angola</li>
+            <li>Anguilla</li>
+            <li>Antigua and Barbuda</li>
             <li>Argentina</li>
             <li>Australia</li>
             <li>Austria</li>
@@ -177,41 +181,48 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Belgium</li>
             <li>Belize</li>
             <li>Bermuda</li>
+            <li>Benin</li>
             <li>Bhutan</li>
             <li>Bolivia</li>
+            <li>Bonaire</li>
             <li>Botswana</li>
             <li>Brunei Darussalam</li>
             <li>Bulgaria</li>
+            <li>Burundi</li>
             <li>Cambodia</li>
             <li>Cameroon</li>
             <li>Canada</li>
-            <li>Republic of Cabo Verde</li>
             <li>Cayman Islands</li>
             <li>Chile</li>
             <li>Colombia</li>
+            <li>Comoros</li>
             <li>Costa Rica</li>
             <li>C&ocirc;te D'ivoire</li>
             <li>Croatia</li>
             <li>Cur&ccedil;ao</li>
             <li>Cyprus</li>
-        </ul>
-    </td>
-     <td>
-        <ul>
             <li>Czech Republic</li>
             <li>Denmark</li>
             <li>Dominican Republic</li>
             <li>Ecuador</li>
+        </ul>
+     </td>
+     <td>
+        <ul> 
             <li>Egypt</li>
             <li>El Salvador</li>
             <li>Estonia</li>
+            <li>Ethiopia</li>
             <li>Faroe Islands</li>
             <li>Fiji</li>
             <li>Finland</li>
             <li>France</li>
+            <li>French Guiana</li>
+            <li>French Polynesia</li>
             <li>Germany</li>
             <li>Ghana</li>
             <li>Greece</li>
+            <li>Greenland</li>
             <li>Guadeloupe</li>
             <li>Guatemala</li>
             <li>Honduras</li>
@@ -225,29 +236,42 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Italy</li>
             <li>Jamaica</li>
             <li>Japan</li>
+            <li>Jersey</li>
             <li>Jordan</li>
-            <li>Kenya</li> 
-        </ul>
-    </td>
-    <td>
-        <ul>
+            <li>Kenya</li>
             <li>Kuwait</li>
+            <li>Laos</li>
             <li>Latvia</li>
             <li>Lebanon</li>
             <li>Libya</li>
             <li>Liechtenstein</li>
             <li>Lithuania</li>
             <li>Luxembourg</li>
+            <li>Macedonia</li>
+            <li>Madagascar</li>
+        </ul>
+    </td>
+     <td>
+        <ul>
+            <li>Malawi</li>
             <li>Malaysia</li>
+            <li>Maldives</li>
+            <li>Mali</li>
             <li>Malta</li>
+            <li>Marshall Islands</li>
+            <li>Martinique</li>
             <li>Mauritius</li>
+            <li>Mayotte</li>
             <li>Mexico</li>
             <li>Mongolia</li>
             <li>Montenegro</li>
             <li>Morocco</li>
             <li>Mozambique</li>
+            <li>Myanamar</li>
             <li>Namibia</li>
+            <li>Nepal</li>
             <li>Netherlands</li>
+            <li>New Caledonia</li>
             <li>New Zealand</li>
             <li>Nicaragua</li>
             <li>Nigeria</li>
@@ -256,48 +280,60 @@ Microsoft Store for Business and Education is currently available in these marke
             <li>Pakistan</li>
             <li>Palestinian Authority</li>
             <li>Panama</li>
+            <li>Papua New Guinea</li>
             <li>Paraguay</li>
             <li>Peru</li>
             <li>Philippines</li>
-            <li>Poland</li>          
+            <li>Poland</li>
+            <li>Portugal</li>
+            <li>Puerto Rico</li>
+            <li>Qatar</li>
+            <li>Republic of Cabo Verde</li>
+            <li>Reunion</li>
+            <li>Romania</li>
+            <li>Rwanda</li>
+            <li>Saint Kitts and Nevis</li> 
         </ul>
     </td>
     <td>
         <ul>
-            <li>Portugal</li>
-            <li>Puerto Rico</li>
-            <li>Qatar</li>
-            <li>Romania</li>
-            <li>Rwanda</li>
-            <li>Saint Kitts and Nevis</li>
+            <li>Saint Lucia</li>
+            <li>Saint Martin</li>
+            <li>Saint Vincent and the Grenadines</li>
+            <li>San marino</li>
             <li>Saudi Arabia</li>
             <li>Senegal</li>
             <li>Serbia</li>
+            <li>Seychelles</li>
             <li>Singapore</li>
+            <li>Sint Maarten</li>
             <li>Slovakia</li>
             <li>Slovenia</li>
             <li>South Africa</li>
             <li>Spain</li>
+            <li>Sri Lanka</li>
+            <li>Suriname</li>
             <li>Sweden</li>
             <li>Switzerland</li>
             <li>Tanzania</li>
             <li>Thailand</li>
+            <li>Timor-Leste</li>
+            <li>Togo</li>
+            <li>Tonga</li>
             <li>Trinidad and Tobago</li>
             <li>Tunisia</li>
             <li>Turkey</li>
+            <li>Turks and Caicos Islands</li>
             <li>Uganda</li>
             <li>United Arab Emirates</li>
             <li>United Kingdom</li>
-            <li>United States</li>           
-        </ul>
-    </td>
-    <td>
-        <ul>
+            <li>United States</li>
             <li>Uruguay</li>
+            <li>Vatican City</li>
             <li>Viet Nam</li>
             <li>Virgin Islands, U.S.</li>
             <li>Zambia</li>
-            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
+            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;</li>         
         </ul>
     </td>
    </tr>
@@ -305,7 +341,6 @@ Microsoft Store for Business and Education is currently available in these marke
 
 ### Support for free apps
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
-- India
 - Russia 
 
 ### Support for free apps and Minecraft: Education Edition
@@ -317,8 +352,11 @@ Customers in these markets can use Microsoft Store for Business and Education to
 - Bosnia
 - Brazil
 - Georgia
+- India
+- Isle of Man
 - Kazakhstan
 - Korea
+- Monaco
 - Republic of Moldova
 - Taiwan
 - Tajikistan
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index ca39d9903b..1c683c1be0 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Working with line-of-business apps
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
index d9e141960f..7dbb46c015 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/access-protection/TOC.md
@@ -179,11 +179,4 @@
 ##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
 
 ## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
-### [How Windows Hello for Business works](hello-for-business/hello-how-it-works.md)
-### [Manage Windows Hello for Business in your organization](hello-for-business/hello-manage-in-organization.md)
-### [Why a PIN is better than a password](hello-for-business/hello-why-pin-is-better-than-password.md)
-### [Prepare people to use Windows Hello](hello-for-business/hello-prepare-people-to-use.md)
-### [Windows Hello and password changes](hello-for-business/hello-and-password-changes.md)
-### [Windows Hello errors during PIN creation](hello-for-business/hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-for-business/hello-event-300.md)
-### [Windows Hello biometrics in the enterprise](hello-for-business/hello-biometrics-in-enterprise.md)
+
diff --git a/windows/access-protection/access-control/access-control.md b/windows/access-protection/access-control/access-control.md
index 006ffb29ab..018b69744e 100644
--- a/windows/access-protection/access-control/access-control.md
+++ b/windows/access-protection/access-control/access-control.md
@@ -114,7 +114,7 @@ User rights grant specific privileges and sign-in rights to users and groups in
 
 User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
 
-For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/access-user-rights-assignment).
+For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
 
 ## Object auditing
 
diff --git a/windows/access-protection/configure-s-mime.md b/windows/access-protection/configure-s-mime.md
index 61abd34c67..d2b4456dc9 100644
--- a/windows/access-protection/configure-s-mime.md
+++ b/windows/access-protection/configure-s-mime.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 
diff --git a/windows/access-protection/credential-guard/additional-mitigations.md b/windows/access-protection/credential-guard/additional-mitigations.md
index 706bdef10b..fe6a8ad882 100644
--- a/windows/access-protection/credential-guard/additional-mitigations.md
+++ b/windows/access-protection/credential-guard/additional-mitigations.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md
index 1663325a24..482e4b2c85 100644
--- a/windows/access-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/access-protection/credential-guard/credential-guard-considerations.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-how-it-works.md b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
index da731369ea..45c936d341 100644
--- a/windows/access-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/access-protection/credential-guard/credential-guard-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index d3b2ea0fff..b9dd345053 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -15,14 +15,44 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
  
-Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
+Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
+
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+
+-	 [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+
+     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
+
+
+-	[KB4033236 Two incorrect logon attempts sent to Active Directory after Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
+
+      This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
+
+    - Windows 10 Version 1607 and Windows Server 2016: 
+    [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) 
+    - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
+    - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
-The following known issue has been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
 
--	 [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
 
-     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and 
-[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
 
 The following issue affects Cisco AnyConnect Secure Mobility Client:
 
@@ -43,7 +73,7 @@ The following issue affects Citrix applications:
 
 <sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
 
--	 [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/en-us/help/4032786)
+-	 [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
     
 For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
     
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index ee41c90cff..67a4d93402 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
index bce8580dfb..3d3e584993 100644
--- a/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-protection-limits.md b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
index f159c931c3..5cdc85cd2c 100644
--- a/windows/access-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/access-protection/credential-guard/credential-guard-protection-limits.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 0053b52421..789d0e690d 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -22,10 +22,9 @@ in the Deep Dive into Credential Guard video series.
 For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
 
 
-
 ## Hardware and software requirements
 
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
+To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
 - TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@@ -75,25 +74,26 @@ The following tables describe baseline protections, plus protections for improve
 
 ### Baseline protections
 
-|Baseline Protections                   | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
+|Baseline Protections | Description | Security benefits                                     
+|---|---|---|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**  | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote> |Support for VBS and for management features that simplify configuration of Credential Guard. |
 
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
 
+
 ### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
 
 | Protections for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | **Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation | **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
 
 <br>
 
@@ -102,11 +102,11 @@ The following tables describe baseline protections, plus protections for improve
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
 
-| Protections for Improved Security         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security  | Description  |Security Benefits |
+|---|---|---|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 
 <br>
 
@@ -114,7 +114,7 @@ The following tables describe baseline protections, plus protections for improve
 
 The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
 
-| Protection for Improved Security          | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
+| Protections for Improved Security  | Description  | Security Benefits
+|---|---|---|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. |  • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
diff --git a/windows/access-protection/credential-guard/credential-guard-scripts.md b/windows/access-protection/credential-guard/credential-guard-scripts.md
index 991d0010f2..ec3e0f5c91 100644
--- a/windows/access-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/access-protection/credential-guard/credential-guard-scripts.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/credential-guard/credential-guard.md b/windows/access-protection/credential-guard/credential-guard.md
index 82c1f6b546..6ce7661b47 100644
--- a/windows/access-protection/credential-guard/credential-guard.md
+++ b/windows/access-protection/credential-guard/credential-guard.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index c5c53ac5e6..1af667a83a 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -9,7 +9,7 @@ ms.prod: w10
 ms.technology: windows
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Enterprise Certificate Pinning
diff --git a/windows/access-protection/hello-for-business/hello-and-password-changes.md b/windows/access-protection/hello-for-business/hello-and-password-changes.md
index 0a5b5a6d31..5e984f955e 100644
--- a/windows/access-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/access-protection/hello-for-business/hello-and-password-changes.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 # Windows Hello and password changes
diff --git a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c458afafc8..7fbfa154b0 100644
--- a/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
new file mode 100644
index 0000000000..d9f542ffd7
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -0,0 +1,513 @@
+---
+title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business)
+description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+
+The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
+
+If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+
+If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update.  If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment.  If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+
+Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. 
+
+A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
+
+Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers.  Ensure the update listed below is applied to each server before continuing.    
+
+##  Update Windows Server 2016
+
+Sign-in the federation server with _local admin_ equivalent credentials.
+1.	Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
+2.	Ensure the latest server updates to the federation server includes [KB4022723](https://support.microsoft.com/en-us/help/4022723).  
+
+>[!IMPORTANT]
+>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
+
+## Enroll for a TLS Server Authentication Certificate
+
+Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment.  Typically, a federation service is an edge facing role.  However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity.  
+
+The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.  The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
+* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
+* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
+
+You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**.  The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
+
+You can; however, issue one certificate for all hosts in the farm.  If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request.  All names should include the FQDN of each host in the farm and the federation service name.  
+
+It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. 
+
+Be sure to enroll or import the certificate into the AD FS server’s computer certificate store.  Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
+
+### Internal Server Authentication Certificate Enrollment
+
+Sign-in the federation server with domain admin equivalent credentials.
+1. Start the Local Computer **Certificate Manager** (certlm.msc).
+2. Expand the **Personal** node in the navigation pane.
+3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4. Click **Next** on the **Before You Begin** page.
+5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
+8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Click **OK** when finished.
+9. Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+## Deploy the Active Directory Federation Service Role
+
+The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments.
+* Device registration
+* Key registration 
+* Certificate registration authority (certificate trust deployments)
+
+>[!IMPORTANT]
+> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm.  Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. 
+
+Windows Hello for Business depends on proper device registration.  For on-premises deployments, Windows Server 2016 AD FS handles device registration.
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
+1.	Start **Server Manager**.  Click **Local Server** in the navigation pane.
+2.	Click **Manage** and then click **Add Roles and Features**.
+3.	Click **Next** on the **Before you begin** page.
+4.	On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
+5.	On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+6.	On the **Select server roles** page, select **Active Directory Federation Services**.  Click **Next**.
+7.	Click **Next** on the **Select features** page.
+8.	Click **Next** on the **Active Directory Federation Service** page.
+9.	Click **Install** to start the role installation.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the AD FS farm uses the correct database configuration.
+* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
+* Confirm **all** AD FS servers in the farm have the latest updates.
+* Confirm all AD FS servers have a valid server authentication certificate    
+    * The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
+    * The alternate name of the certificate contains a wildcard or the FQDN of the federation service
+
+## Device Registration Service Account Prerequisite
+
+The service account used for the device registration server depends on the domain controllers in the environment.  
+
+>[!NOTE]
+>Follow the procedures below based on the domain controllers deployed in your environment.  If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+### Windows Server 2012 or later Domain Controllers
+
+Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them.  Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management.  This means the password is long, complex, and changes periodically.  The best part of GMSA is all this happens automatically.  AD FS supports GMSA and should be configured using them for additional defense in depth security.
+
+GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers.  Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA.  Before you can create a GSMA, you must first create a root key for the service.  You can skip this if your environment already uses GSMA.
+
+#### Create KDS Root Key
+
+Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
+1. Start an elevated Windows PowerShell console.
+2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`
+
+### Windows Server 2008 or 2008 R2 Domain Controllers
+
+Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts.  Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.
+
+#### Create an AD FS Service Account
+
+Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+1.	Open **Active Directory Users and Computers**.
+2.	Right-click the **Users** container, Click **New**. Click **User**.
+3.	In the **New Object – User** window, type **adfssvc** in the **Full name** text box.  Type **adfssvc** in the **User logon name** text box.  Click **Next**.
+4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+5.	Click **Next** and then click **Finish**.
+
+## Configure the Active Directory Federation Service Role
+
+>[!IMPORTANT]
+>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+### Windows Server 2012 or later Domain Controllers
+
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**.  If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
+   ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+
+3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
+4. Click **Next** on the **Connect to Active Directory Domain Services** page.
+5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
+6. Select the federation service name from the **Federation Service Name** list.
+7. Type the Federation Service Display Name in the text box.  This is the name users see when signing in.  Click **Next**.
+8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**.  In the **Account Name** box, type **adfssvc**.
+9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10. On the **Review Options** page, click **Next**.
+11.	On the **Pre-requisite Checks** page, click **Configure**.
+12.	When the process completes, click **Close**.
+
+### Windows Server 2008 or 2008 R2 Domain Controllers
+
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**.  If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
+    ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+
+3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
+4. Click **Next** on the **Connect to Active Directory Domain Services** page.
+5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
+6. Select the federation service name from the **Federation Service Name** list.
+7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
+8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.   
+    * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
+9.	On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10.	On the **Review Options** page, click **Next**.
+11.	On the **Pre-requisite Checks** page, click **Configure**.
+12.	When the process completes, click **Close**.
+13.	Do not restart the AD FS server. You will do this later.
+
+
+### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
+
+The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+
+Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+1. Open **Active Directory Users and Computers**.
+2. Click the **Users** container in the navigation pane.
+3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
+4. Click the **Members** tab and click **Add…**
+5. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+6. Click **OK** to return to **Active Directory Users and Computers**.
+7. Right-click **Windows Hello for Business Users** group
+8. Click the **Members** tab and click **Add…**
+9. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+10.	Click **OK** to return to **Active Directory Users and Computers**.
+11.	Change to server hosting the AD FS role and restart it.
+
+### Configure Permissions for Key Registration
+
+Key Registration stores the Windows Hello for Business public key in Active Directory.  In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
+
+The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. 
+
+Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+1. Open **Active Directory Users and Computers**.
+2. Right-click your domain name from the navigation pane and click **Properties**.
+3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu).
+4. Click **Advanced**. Click **Add**. Click **Select a principal**.
+5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**.  Click **OK**.
+6. In the **Applies to** list box, select **Descendant User objects**.
+7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
+9. Click **OK** three times to complete the task. 
+
+## Configure the Device Registration Service
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
+1. Open the **AD FS management** console.
+2. In the navigation pane, expand **Service**. Click **Device Registration**.
+3. In the details pane, click **Configure Device Registration**.
+4. In the **Configure Device Registration** dialog, click **OK**.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you followed the correct procedures based on the domain controllers used in your deployment   
+    * Windows Server 2012 or Windows Server 2012 R2
+    * Windows Server 2008 or Windows Server 2008 R2
+* Confirm you have the correct service account based on your domain controller version.
+* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
+* Confirm you used a certificate with the correct names as the server authentication certificate
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate) 
+* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute.
+* Confirm you enabled the Device Registration service.
+
+## Prepare and Deploy AD FS Registration Authority
+
+A registration authority is a trusted authority that validates certificate request.  Once it validates the request, it presents the request to the certificate authority for issuance.  The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user.  The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
+
+### Configure Registration Authority template
+
+The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request.
+
+The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication.
+
+>[!IMPORTANT]
+>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+
+#### Windows 2012 or later domain controllers
+
+Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1. Open the **Certificate Authority Management** console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.   
+    **Note:** The preceding step is very important.  Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate.  You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
+8. On the **Security** tab, click **Add**. 
+9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**. 
+10.	Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
+11.	Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
+12.	Close the console.
+
+#### Windows 2008 or 2008R2 domain controllers
+
+Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
+6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected.  Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
+8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
+9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
+10.	Close the console.
+
+### Configure the Windows Hello for Business Authentication Certificate template
+
+During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring.
+
+Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment.
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  
+7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box.  Type **1** in the text box.   
+    * Select **Application policy** from the **Policy type required in signature**.	Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
+9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
+10.	On the **Request Handling** tab, select the **Renew with same key** check box.
+11.	On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
+12.	Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 
+13.	If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
+14.	Click on the **Apply** to save changes and close the console.
+
+#### Mark the template as the Windows Hello Sign-in template 
+
+Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+1. Open an elevated command prompt.
+2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
+
+>[!NOTE]
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
+
+### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority
+
+Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template to issue**.
+5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6. Publish the **WHFB Authentication** certificate template using step 5. 
+7. Close the console.
+
+### Configure the Registration Authority
+
+Sign-in the AD FS server with Domain Admin equivalent credentials. 
+
+1.	Open a **Windows PowerShell** prompt.
+2.	Type the following command   
+  
+    ```PowerShell
+    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+    ```
+
+
+The `Set-AdfsCertificateAuthority` cmdlet may show the following warning:
+>WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured.  These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
+
+This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates.  Windows 10, version 1703 clients check this configuration during prerequisite checks.  If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
+
+>[!NOTE]
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+
+### Enrollment Agent Certificate Enrollment
+
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management.  Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+
+Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful.  If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate.  You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+
+## Additional Federation Servers
+
+Organizations should deploy more than one federation server in their federation farm for high-availability.  You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more.  This largely depends on the number of devices and users using the services provided by the AD FS farm. 
+
+### Server Authentication Certificate
+
+Each server you add to the AD FS farm must have a proper server authentication certificate.  Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate.  As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
+
+### Install Additional Servers
+
+Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. 
+
+## Load Balance AD FS Federation Servers
+
+Many environments load balance using hardware devices.  Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm.  Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+
+### Install Network Load Balancing Feature on AD FS Servers
+
+Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
+1. Start **Server Manager**.  Click **Local Server** in the navigation pane.
+2. Click **Manage** and then click **Add Roles and Features**.
+3. Click **Next** On the **Before you begin** page.
+4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
+5. On the **Select destination server** page, chosoe **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+6. On the **Select server roles** page, click **Next**.
+7. Select **Network Load Balancing** on the **Select features** page.
+8. Click **Install** to start the feature installation   
+    ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
+
+### Configure Network Load Balancing for AD FS
+
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster.  Once you have created the cluster, then you can add new nodes to that cluster.
+
+Sign-in a node of the federation farm with _Admin_ equivalent credentials.
+1. Open **Network Load Balancing Manager** from **Administrative Tools**.   
+    ![NLB Manager user interface](images/hello-nlb-manager.png)
+2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
+3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.   
+    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
+4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
+5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
+6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.   
+    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
+7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.   
+    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
+8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
+9. In Port Rules, click Edit to modify the default port rules to use port 443.   
+    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
+
+### Additional AD FS Servers
+
+1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
+2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.   
+    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
+
+## Configure DNS for Device Registration
+
+Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+1. Open the **DNS Management** console.
+2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
+3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
+4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
+5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. 
+6. Close the DNS Management console 
+
+## Configure the Intranet Zone to include the federation service
+
+The Windows Hello provisioning presents web pages from the federation service.  Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication.  Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. 
+
+### Create an Intranet Zone Group Policy
+
+Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**
+4. Type **Intranet Zone Settings** in the name box and click **OK**.
+5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
+8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
+9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**.  Click OK twice, then close the Group Policy Management Editor.
+
+### Deploy the Intranet Zone Group Policy object
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
+3.	In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account.
+* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. 
+* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:   
+    * Issuance requirements of an authorized signature from a certificate request agent.
+    * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe
+    * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions
+* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+* Confirm you restarted the AD FS service.
+* Confirm you properly configured load-balancing (hardware or software).
+* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
+* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+
+## Validating your work
+
+You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template.  You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account.
+
+### Event Logs
+
+Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate.  First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished.  Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log.  In this event log, look for event ID 1006, which indicates a new certificate was installed.  Details of the event log should show
+
+* The account name under which the certificate was enrolled.
+* The action, which should read enroll.
+* The thumbprint of the certificate
+* The certificate template used to issue the certificate.
+
+### Normal Service Account
+
+When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify.
+
+### Group Managed Service Account
+
+You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts.  Use the event log information to confirm the AD FS service account enrolled a certificate.  Use certutil.exe to view the details of the certificate now shown in the event log.
+
+Group managed service accounts use user profiles to store user information, which included enrolled certificates.  On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\<adfsGMSA_name>\appdata\roaming\Microsoft\systemcertificates\my\certificates` .
+
+Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder).  Match the thumbprint of the certificate from the event log to one of the files in this folder.  That file is the certificate.  Use the `Certutil -q <certificateThumbprintFileName>` to view the basic information about the certificate.
+
+For detailed information about the certificate, use `Certutil -q -v <certificateThumbprintFileName>` .
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
new file mode 100644
index 0000000000..0692e099e7
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -0,0 +1,543 @@
+---
+title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business)
+description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Configure or Deploy Multifactor Authentication Services
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model  Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.  
+
+>[!TIP]
+>Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further.
+
+## Prerequisites
+
+The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet.
+
+### Primary MFA Server
+
+The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writeable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
+
+For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**.  All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
+
+The primary MFA server is also responsible for synchronizing from Active Directory.  Therefore, the primary MFA server should be domain joined and fully patched. 
+
+#### Enroll for Server Authentication
+
+The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. 
+
+Sign-in the primary MFA server with _domain admin_ equivalent credentials.
+1.	Start the Local Computer **Certificate Manager** (certlm.msc).
+2.	Expand the **Personal** node in the navigation pane.
+3.	Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4.	Click **Next** on the **Before You Begin** page.
+5.	Click **Next** on the **Select Certificate Enrollment Policy** page.
+6.	On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7.	Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
+8.	Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com).    Click **Add**. Click **OK** when finished.
+9.	Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+#### Install the Web Server Role
+
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
+
+To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
+
+The following services are required:
+* Common Parameters > Default Document.
+* Common Parameters > Directory Browsing.
+* Common Parameters > HTTP Errors.
+* Common Parameters > Static Content.
+* Health and Diagnostics > HTTP Logging.
+* Performance > Static Content Compression.
+* Security > Request Filtering.
+* Security > Basic Authentication.
+* Management Tools > IIS Management Console.
+* Management Tools > IIS 6 Management Compatibility.
+* Application Development > ASP.NET 4.5. 
+
+#### Update the Server
+
+Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
+
+#### Configure the IIS Server’s Certificate
+
+The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
+
+Sign in the primary MFA server with _administrator_ equivalent credentials.
+1.	From **Administrators**, Start the **Internet Information Services (IIS) Manager** console
+2.	In the navigation pane, expand the node with the same name as the local computer.  Expand **Settings** and select **Default Web Site**.
+3.	In the **Actions** pane, click **Bindings**.
+4.	In the **Site Bindings** dialog, Click **Add**.
+5.	In the **Add Site Binding** dialog, select **https** from the **Type** list.  In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer.
+6.	Click **OK**.  Click **Close**.  From the **Action** pane, click **Restart**.
+
+#### Configure the Web Service’s Security
+
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the Phonefactor Admins security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+
+Sign in the domain controller with _domain administrator_ equivalent credentials.
+
+##### Create Phonefactor Admin group 
+
+1. Open **Active Directory Users and Computers**
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **Group**.
+3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. 
+4. Click **OK**.
+
+##### Add accounts to the Phonefactor Admins group
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**.
+3. Click the **Members** tab.
+4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.   
+    * The computer account for the primary MFA Server
+    * Group or user account that will manage the User Portal server.
+
+
+#### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+
+* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names.   
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:   
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate)
+
+* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc).
+* Confirm the host has all the available updates from Windows Update.
+* Confirm you bound the server authentication certificate to the IIS web site.
+* Confirm you created the Phonefactor Admins group.
+* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal.
+
+### User Portal Server
+
+The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts.  A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on.  Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication.  If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.  User Portal Administrators may be set up and granted permission to add new users and update existing users.
+
+The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers.  While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design.
+
+#### Enroll for Server Authentication
+
+Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate.  You can use an enterprise certificate to protect communication to internal User Portal servers.
+
+For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority.  Contact a public certificate authority for more information on requesting a certificate for public use.  Follow the procedures below to enroll an enterprise certificate on your User Portal server.
+
+Sign-in the User Portal server with _domain admin_ equivalent credentials.
+1.	Start the Local Computer **Certificate Manager** (certlm.msc).
+2.	Expand the **Personal** node in the navigation pane.
+3.	Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4.	Click **Next** on the **Before You Begin** page.
+5.	Click **Next** on the **Select Certificate Enrollment Policy** page.
+6.	On the **Request Certificates** page, Select the **Internal Web Server** check box.
+7.	Click the **More information is required to enroll for this certificate. Click here to configure settings** link.
+8.	Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com).
+9.	Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com).
+10.	Click **Add**. Click **OK** when finished.
+11.	Click **Enroll**.
+
+A server authentication certificate should appear in the computer’s Personal certificate store.
+
+#### Install the Web Server Role
+
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not requiret this. 
+
+#### Update the Server
+
+Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
+
+#### Configure the IIS Server’s Certificate
+
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+
+#### Create WebServices SDK user account
+
+The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **User**.
+3. In the **New Object – User** dialog box, type **PFWSDK_<computerName>** in the **First name** and **User logon name** boxes, where *<computer>* is the name of the primary MFA server running the Web Services SDK.  Click **Next**.
+4. Type a strong password and confirm it in the respective boxes.  Clear **User must change password at next logon**. Click **Next**.  Click **Finish** to create the user account.
+
+#### Add the MFA SDK user account to the Phonefactor Admins group
+
+Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK.
+
+1. Open **Active Directory Users and Computers**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties.
+3. Click the Members tab.
+4. Click **Add**. Click **Object Types..** Type the PFWSDK_<computerName> user name in the **Enter the object names to select** box and then click **OK**.   
+    * The computer account for the primary MFA Server
+    * The Webservices SDK user account
+    *  Group or user account that will manage the User Portal server.
+
+
+#### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+
+* Confirm the hosts of the user portal are properly configure for load balancing and high-availability.
+* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names.   
+    * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:   
+        * Certificate serial number
+        * Certificate thumbprint
+        * Common name of the certificate
+        * Subject alternate name of the certificate
+        * Name of the physical host server
+        * The issued date
+        * The expiration date
+        * Issuing CA Vendor (if a third-party certificate)
+
+* Confirm the Web Server Role was properly configured on all servers.
+* Confirm all the hosts have the latest updates from Windows Update.
+* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. 
+
+## Installing Primary Azure MFA Server
+
+When you install Azure Multi-Factor Authentication Server, you have the following options: 
+1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
+2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments)
+
+See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options.
+
+Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
+
+>[!IMPORTANT]
+>Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
+
+### Configuring Company Settings
+
+You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory.
+
+Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
+1. Start the **Multi-Factor Server** application
+2. Click **Company Settings**.
+3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
+4. In **User defaults**, select **Phone Call** or **Text Message**   
+    **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
+6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal.  A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
+7. Select **Fail Authentication** from the **When user is disabled** list.  Users should provision their account through the user portal.
+8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
+9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+10. Configure the minimum length for the PIN.
+11.	Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
+12.	Select the **Expiration days** check box if you want to expire PINs.  If enabled, provide a numeric value representing the number of days the PIN is valid.
+13.	Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. 
+
+![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png)
+
+### Configuring Email Settings and Content
+
+If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step.  In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email.  The email gives your users time to visit the user portal and configure the multi-factor settings. 
+
+Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication.
+
+With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.  
+
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
+
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+
+#### Settings
+
+By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box.
+
+#### Content
+
+On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you.
+
+##### Edit the Content Settings
+
+The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab.
+
+Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
+1. Open the **Multi-Factor Authentication Server** console.
+2. Click **Email** from the list of icons and click the **Email Content** tab.
+3. Select an email template from the list of templates.  Click **Edit**.
+4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email.   
+    ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png)
+
+5. Optionally, customize other options in the email template.
+6. When finished editing the template, Click **Apply**.
+7. Click **Next** to move to the next email in the list.  Repeat steps 4 and 6 to edit the changes.
+8. Click **Close** when you are done editing the email templates.
+
+### Configuring Directory Integration Settings and Synchronization
+
+Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory.  The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process.  It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory.
+
+It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business.  Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user.  This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business.  To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names).
+
+#### MultiFactorAuthAdSync Service
+
+The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory.  It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run.  If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server.
+
+The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes.  This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right.  By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers.  The MultiFactorAuthAdSync service is configured to run as LocalSystem by default.  Therefore, it is simplest to run the service on a domain controller.  The service can run as an account with lesser permissions if you configure it to always perform a full synchronization.  This is less efficient, but requires less account privileges.
+
+#### Settings
+
+Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. 
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials. 
+1. Open the **Multi-Factor Authentication Server** console.
+2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
+3. Click the **Synchronization** tab.
+4. Select **Use Active Directory**.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+
+#### Synchronization
+
+The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database.  Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers.
+
+You can configure synchronization items based on different criteria and filters.  For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group.  This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate).  This significantly simplifies deployment and troubleshooting.
+
+See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details.
+
+##### To add a synchronization item
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
+1. Open the **Multi-Factor Authentication Server** console.
+2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
+3. Select the **Synchronization** tab.
+4. On the **Synchronization** tab, click **Add**.   
+    ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png)
+
+5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list.
+6. Select the group you are using for replication from the list of groups
+7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups.
+8. Select **Add new users and Update existing users**.
+9. Select **Disable/Remove users no longer a member** and select **Disable** from the list.
+10.	Select the attributes appropriate for your environment for **Import phone** and **Backup**.
+11.	Select **Enabled** and select **Only New Users with Phone Number** from the list.
+12.	Select **Send email** and select **New and Updated Users**.
+
+##### Configure synchronization item defaults
+
+1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab.
+2. Select the default second factor authentication method.  For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN).
+
+##### Configure synchronization language defaults
+
+1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab.
+2. Select the appropriate default language for these groups of users synchronized by these synchronization item.
+3. If creating a new synchronization item, click **Add** to save the item.  If editing an existing synchronization item, click **Apply** and then click **Close**.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint).
+
+### Installing the MFA Web Services SDK
+
+The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application.  The Web Service SDK uses the Multi-Factor Authentication Server as the data store.
+
+Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information.  The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
+
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+
+## Install Secondary MFA Servers
+
+Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers.  Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
+
+Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated.
+
+Sign in the secondary MFA server with _domain administrator_ equivalent credentials.
+1.	Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership.  You have the option to join an existing group or create a new group.  When joining an existing group, the server becomes a secondary server in the existing replication group.  When creating a new group, the server becomes the primary server of that replication group.  Click **OK**.   
+    **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group.  Please contact support for assistance with deactivating and reactivating a server.
+2.	The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**.
+3.	In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**.
+4.	On the **Active Directory** page, the wizard determines what configuration is needed to enable replication.  Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group.  Click **Next** to add the computer account to the group.
+5.	On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you downloaded the latest Azure MFA Server from the Azure Portal.
+* Confirm the server has Internet connectivity.
+* Confirm you installed and activated the Azure MFA Server.
+* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc).
+* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server.     
+    * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups.
+
+* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account.
+* Confirm you installed the Web Service SDK on the primary MFA server.
+* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. 
+
+
+## Installing the User Portal Server
+
+You previously configured the User Portal settings on the primary MFA server.  The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings.  This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users.  
+
+### Copying the User Portal Installation file
+
+Sign in the primary MFA server with _local administrator_ equivalent credentials.
+1. Open Windows Explorer.
+2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
+
+### Configure Virtual Directory name
+
+Sign in the User Portal server with _local administrator_ equivalent credentials.
+1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step.
+2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**.  Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension.  **Save the file with a .exe extension and install the runtime**.
+3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time.
+4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**.
+5. Click **Close**.
+
+### Edit MFA User Portal config file
+
+Sign in the User Portal server with _local administrator_ equivalent credentials.
+1.	Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
+2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+
+### Create a DNS entry for the User Portal web site
+
+Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials.
+1.	Open the **DNS Management** console.
+2.	In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
+3.	In the navigation pane, select the node that has the name of your internal Active Directory domain name.
+4.	In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
+5.	In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. 
+6.	Close the **DNS Management** console.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the user portal application is properly installed on all user portal hosts
+* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
+* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
+* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
+* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
+* Confirm you saved the changes to the web.config file.
+
+### Validating your work
+
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult.  The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+
+Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers.  The URL should be protected by a server authentication certificate and should prompt you for authentication.  Authenticate to the web site using the username and password provided in the web.config file.  Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal.
+
+### Configuring the User Portal
+
+The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts.  A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on.  Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication.  If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal.
+User Portal Administrators may be set up and granted permission to add new users and update existing users.
+
+#### Settings
+
+Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
+1. Open the Multi-Factor Authentication Server console.
+2. From the Multi-Factor Authentication Server window, click the User Portal icon.   
+    ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png)
+
+3. On the Settings tab, type the URL your users use to access the User Portal.  The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. 
+The Multi-Factor Authentication Server uses this information when sending emails to users.
+4. Select Allow users to log in and Allow user enrollment check boxes.
+5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service).  Select Automatically trigger user’s default method.
+6. Select Allow users to select language.
+7. Select Use security questions for fallback and select 4 from the Questions to answer list.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal).
+
+#### Administrators
+
+The User Portal Settings tab allows the administrator to install and configure the User Portal.
+1. Open the Multi-Factor Authentication Server console.
+2. From the Multi-Factor Authentication Server window, click the User Portal icon.
+3. On the Administrators tab, Click Add
+4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal.  Use the default permissions. 
+5. Click Add.
+
+>[!TIP]
+>For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**.
+
+#### Security Questions
+
+[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements.  The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal.  The order of the questions is important since the first four items in the list will be used as defaults for the four security questions.
+
+#### Trusted IPs
+
+The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry.
+
+## Configure the AD FS Server to use the MFA for multifactor authentication
+
+You need to configure the AD FS server to use the MFA server.  You do this by Installing the MFA Adapter on the primary AD FS Server.
+
+### Install the MFA AD FS Adapter
+
+Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server.
+
+### Edit the MFA AD FS Adapter config file on all ADFS Servers
+
+Sign in the primary AD FS server with _local administrator_ equivalent credentials.
+1.	Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
+2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+
+### Edit the AD FS Adapter Windows PowerShell cmdlet
+
+Sign in the primary AD FS server with _local administrator_ equivalent credentials.
+
+Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath <path>` to the end of the `Register-AdfsAuthenticationProvider` command where **<path>** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file.
+
+### Run the AD FS Adapter PowerShell cmdlet
+
+Sign in the primary AD FS server with local administrator equivalent credentials.
+
+Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter.  The adapter is registered as **WindowsAzureMultiFactorAuthentication**.  
+
+>[!NOTE]
+>You must restart the AD FS service for the registration to take effect.
+
+### Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm the user portal application is properly installed on all user portal hosts
+* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true.
+* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME
+* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account.
+* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server.
+* Confirm you saved the changes to the web.config file.
+* Confirm you restarted the AD FS Service after completing the configuration.
+
+## Test AD FS with the Multifactor Authentication connector
+
+Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment.  The AD FS and Azure Multi-Factor Authentication server configurations are complete.
+
+1.	In the **Multi-Factor Authentication** server, on the left, click **Users**.
+2.	In the list of users, select a user that is enabled and has a valid phone number to which you have access.
+3.	Click **Test**.
+4.	In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory.
+
+The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user.  The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user.  Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. 
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
new file mode 100644
index 0000000000..80a40bc364
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -0,0 +1,155 @@
+---
+title: Configure Windows Hello for Business Policy settings (Windows Hello for Business)
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Configure Windows Hello for Business Policy settings
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+
+Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+
+On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
+* Enable Windows Hello for Business
+* Use certificate for on-premises authentication
+* Enable automatic enrollment of certificates
+
+## Enable Windows Hello for Business Group Policy
+
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+## Use certificate for on-premises authentication
+
+The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model.  You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests.
+
+You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate.  Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+## Enable automatic enrollment of certificates
+
+Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. 
+
+The process requires no user interaction provided the user signs-in using Windows Hello for Business.  The certificate is renewed in the background before it expires.
+
+## Create the Windows Hello for Business Group Policy object
+
+The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**.
+4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
+5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **User Configuration**.
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
+9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**.  Close the **Group Policy Management Editor**.
+
+## Configure Automatic Certificate Enrollment
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+4. In the navigation pane, expand **Policies** under **User Configuration**.
+5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
+6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+7. Select **Enabled** from the **Configuration Model** list.
+8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+9. Select the **Update certificates that use certificate templates** check box.
+10.	Click **OK**. Close the **Group Policy Management Editor**.
+
+## Configure Security in the Windows Hello for Business Group Policy object
+
+The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Double-click the **Enable Windows Hello for Business** Group Policy object.
+4. In the **Security Filtering** section of the content pane, click **Add**.  Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**.
+5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+
+## Deploy the Windows Hello for Business Group Policy object
+
+The application of the Windows Hello for Business Group Policy object uses security group filtering.  This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
+3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+
+Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. 
+
+## Other Related Group Policy settings
+
+### Windows Hello for Business
+
+There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment.  These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. 
+
+### Use a hardware security device
+
+The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials.  When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
+
+You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
+
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+
+### Use biometrics
+
+Windows Hello for Business provides a great user experience when combined with the use of biometrics.  Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.  
+
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
+
+### PIN Complexity
+
+PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. 
+
+Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use.  If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations.  The policy settings included are:
+* Require digits
+* Require lowercase letters
+* Maximum PIN length
+* Minimum PIN length
+* Expiration
+* History
+* Require special characters
+* Require uppercase letters
+
+In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor.
+
+## Review
+
+Before you continue with the deployment, validate your deployment progress by reviewing the following items:
+* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
+* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
+* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
+* Confirm you configured the proper security settings for the Group Policy object   
+    * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
+    * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy
+
+* Linked the Group Policy object to the correct locations within Active Directory
+* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users
+
+
+## Add users to the Windows Hello for Business Users group
+
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. Configure Windows Hello for Business Policy settings (*You are here*)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
new file mode 100644
index 0000000000..8226e365c6
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -0,0 +1,79 @@
+---
+title: Validate Active Directory prerequisites (Windows Hello for Business)
+description: How to Validate Active Directory prerequisites for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate Active Directory prerequisites
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
+
+Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 DVD or ISO.  Before running adprep.exe, you must identify the domain controller hosting the schema master role.
+
+## Discovering schema role
+
+To locate the schema master role holder, open and command prompt and type:
+
+```Netdom query fsmo | findstr -i “schema”```
+
+![Netdom example output](images\hello-cmd-netdom.png)
+
+The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
+
+## Updating the Schema
+
+Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords).  During enrollment, the public key is registered in an attribute on the user object in Active Directory.  The schema update adds this new attribute to Active Directory.  
+
+Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+
+1.	Open an elevated command prompt.
+2.	Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
+3.	To update the schema, type ```adprep /forestprep```.
+4.	Read the Adprep Warning.  Type the letter **C** and press **Enter** to update the schema.
+5.	Close the Command Prompt and sign-out.
+
+## Create the KeyCredential Admins Security Global Group
+
+The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning.  You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow.
+
+Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+
+1.	Open **Active Directory Users and Computers**.
+2.	Click **View** and click **Advance Features**.
+3.	Expand the domain node from the navigation pane.
+4.	Right-click the **Users** container. Click **New**. Click **Group**.
+5.	Type **KeyCredential Admins** in the **Group Name** text box.
+6.	Click **OK**.
+
+## Create the Windows Hello for Business Users Security Global Group
+
+The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases.  You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group.  This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
+
+Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+
+1.	Open **Active Directory Users and Computers**.
+2.	Click **View** and click **Advanced Features**.
+3.	Expand the domain node from the navigation pane.
+4.	Right-click the **Users** container. Click **New**. Click **Group**.
+5.	Type **Windows Hello for Business Users** in the **Group Name** text box.
+6.	Click **OK**.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. Validate Active Directory prerequisites (*You are here*)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
new file mode 100644
index 0000000000..90ae7fc730
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -0,0 +1,49 @@
+---
+title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business)
+description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate and Deploy Multifactor Authentication Services (MFA)
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential.  Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication.  On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
+
+Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
+* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
+* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
+
+## On-Premises Azure MFA Server
+
+On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory.
+
+### Infrastructure
+
+A lab or proof-of-concept environment does not need high-availability or scalability.  However, a production environment needs both of these.  Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing.
+
+Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. 
+
+>[!IMPORTANT]
+>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article.
+
+Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
new file mode 100644
index 0000000000..c3054a28fa
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -0,0 +1,197 @@
+---
+title: Validate Public Key Infrastructure (Windows Hello for Business)
+description: How to Validate Public Key Infrastructure for Windows Hello for Business
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Validate and Configure Public Key Infrastructure
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
+
+## Deploy an enterprise certificate authority
+
+This guide assumes most enterprise have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+
+### Lab-based public key infrastructure
+
+The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
+
+Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
+
+>[!NOTE]
+>Never install a certificate authority on a domain controller in a production environment.
+
+1. Open an elevated Windows PowerShell prompt.
+2. Use the following command to install the Active Directory Certificate Services role.   
+    ```PowerShell
+    Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools
+    ```
+
+3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.   
+    ```PowerShell
+    Install-AdcsCertificateAuthority
+    ```   
+    
+## Configure a Production Public Key Infrastructure
+
+If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure.   Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+
+### Configure Domain Controller Certificates
+
+Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate.  Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain.  This provides clients a root of trust external to the domain—namely the enterprise certificate authority.
+
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory.  However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC.  Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
+
+By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template.  However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs.  To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
+
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+7.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
+8.	Close the console.
+
+### Superseding the existing Domain Controller certificate
+
+Many domain controllers may have an existing domain controller certificate.  The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template.  Later releases provided a new certificate template—the domain controller authentication certificate template.  These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.  
+
+The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).   The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates.  You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. 
+
+Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+4.	Click the **Superseded Templates** tab. Click **Add**.
+5.	From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**.  Click **Add**.
+6.	From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
+7.	From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. 
+8.	Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
+9.	Click **OK** and close the **Certificate Templates** console.
+
+The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+
+### Configure an Internal Web Server Certificate template
+
+Windows 10 clients use the https protocol when communicating with Active Directory Federation Services.  To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm.  On-premises deployments can use a server authentication certificate issued by their enterprise PKI.  You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. 
+
+Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5.	On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
+    **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
+6.	On the **Request Handling** tab, select **Allow private key to be exported**.
+7.	On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+8.	On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box.  Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
+9.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
+10.	Close the console.
+
+### Unpublish Superseded Certificate Templates
+
+The certificate authority only issues certificates based on published certificate templates.  For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue.  This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+
+The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates.  Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+
+Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Domain Controller** certificate template in the content pane and select **Delete**.  Click **Yes** on the **Disable certificate templates** window.
+5.	Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
+### Publish Certificate Templates to the Certificate Authority
+
+The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5.	In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6.	If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.   
+    * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.   
+
+7.	Close the console.
+
+### Configure Domain Controllers for Automatic Certificate Enrollment
+
+Domain controllers automatically request a certificate from the domain controller certificate template.  However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates.  To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3.	Right-click **Group Policy object** and select **New**
+4.	Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
+5.	Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
+6.	In the navigation pane, expand **Policies** under **Computer Configuration**.
+7.	Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
+8.	In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+9.	Select **Enabled** from the **Configuration Model** list.
+10.	Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
+11.	Select the **Update certificates that use certificate templates** check box.
+12.	Click **OK**. Close the **Group Policy Management Editor**.
+
+### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
+
+Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the domain and expand the node that has your Active Directory domain name.  Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
+3.	In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+
+### Validating your work
+
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult.  The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+
+You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates.  You need to check each domain controller that autoenrollment for the computer occurred.
+
+#### Use the Event Logs
+
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows.
+
+Look for an event indicating a new certificate enrollment (autoenrollment).  The details of the event include the certificate template on which the certificate was issued.  The name of the certificate template used to issue the certificate should match the certificate template name included in the event.  The certificate thumbprint and EKUs for the certificate are also included in the event.  The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. 
+
+Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+
+
+#### Certificate Manager
+
+You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs.  Use **certlm.msc** to view certificate in the local computers certificate stores.  Expand the **Personal** store and view the certificates enrolled for the computer.  Archived certificates do not appear in Certificate Manager.
+
+#### Certutil.exe
+
+You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer.  From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates.
+
+To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. 
+
+#### Troubleshooting
+
+Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates.  You can refresh Group Policy from an elevated command prompt using `gpupdate /force`.
+
+Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt.
+
+Use the event logs to monitor certificate enrollment and archive.  Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
+
+
+## Follow the Windows Hello for Business on premises certificate trust deployment guide
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. Validate and Configure Public Key Infrastructure (*You are here*)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
new file mode 100644
index 0000000000..3e3dd9f272
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -0,0 +1,40 @@
+---
+title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
+description: A guide to an On Premises, Certificate trust Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# On Premises Certificate Trust Deployment
+
+**Applies to**
+-   Windows 10
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.  The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.  
+
+Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md
new file mode 100644
index 0000000000..c11406fb24
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md
@@ -0,0 +1,55 @@
+---
+title: Windows Hello for Business Deployment Guide
+description: A guide to Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 07/07/2017
+---
+# Windows Hello for Business Deployment Guide
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+> This guide only applies to Windows 10, version 1703 or higher.
+
+Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.
+
+This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+
+## Assumptions
+
+This guide assumes a baseline infrastructure exists that meets the requirements for your deployment.  For either hybrid or on-premises deployments, it is expected that you have: 
+* A well-connected, working network
+* Internet access
+   * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
+* Proper name resolution, both internal and external names
+* Active Directory and an adequate number of domain controllers per site to support authentication
+* Active Directory Certificate Services 2012 or later
+* One or more workstation computers running Windows 10, version 1703
+
+If you are installing a role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain.  This document provides guidance to install and configure the specific roles on that server.  
+
+Do not begin your deployment until the hosting servers and infrastructure (not roles) identified in your prerequisite worksheet are configured and properly working.
+
+## Deployment and trust models
+
+Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust.
+
+Hybrid deployments are for enterprises that use Azure Active Directory.  On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
+
+The trust model determines how you want users to authentication to the on-premises Active Directory. Remember hybrid environments use Azure Active Directory and on-premises Active Directory. The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and they have an adequate number of 2016 domain controllers in each site to support the authentication. The certificate-trust model is for enterprise that do want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. The certificate trust model is also enterprise who are not ready to deploy Windows Server 2016 domain controllers.
+
+Following are the various deployment guides included in this topic:
+* [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+
+## Provisioning
+
+The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
+
diff --git a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
index ee01d1173d..20c0c5cc2a 100644
--- a/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-event-300.md b/windows/access-protection/hello-for-business/hello-event-300.md
index 3d94345736..1b894d9da4 100644
--- a/windows/access-protection/hello-for-business/hello-event-300.md
+++ b/windows/access-protection/hello-for-business/hello-event-300.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
index 1e42ccaded..c5d6ce9420 100644
--- a/windows/access-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/access-protection/hello-for-business/hello-how-it-works.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 # How Windows Hello for Business works
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md
index eaac2063b5..6bc13714ae 100644
--- a/windows/access-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/access-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Hello for Business (Windows 10)
-description: IWindows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
+description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. 
 ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
 keywords: identity, PIN, biometric, Hello, passport
 ms.prod: w10
@@ -8,19 +8,14 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/07/2017
 ---
 # Windows Hello for Business
 
-**Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-
->[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.</br>
+Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
 
 Windows Hello addresses the following problems with passwords:
 -   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
@@ -28,98 +23,78 @@ Windows Hello addresses the following problems with passwords:
 -   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
 -   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
 
-Windows Hello lets users authenticate to:
--   a Microsoft account.
--   an Active Directory account.
--   a Microsoft Azure Active Directory (Azure AD) account.
--   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+>[!div class="mx-tdBreakAll"]
+>| | | |
+>| :---: | :---: | :---: |
+>| [![Overview Icon](images/hello_filter.png)](hello-overview.md)</br>[Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)</br>[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)</br>[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
 
-After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+## Prerequisites 
 
-As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+### Cloud Only Deployment
+* Windows 10, version 1511 or later
+* Microsoft Azure Account
+* Azure Active Directory
+* Azure Multifactor authentication
+* Modern Management (Intune or supported third-party MDM), *optional*
+* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
 
-## Biometric sign-in
- 
- Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
- 
-- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
-- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+### Hybrid Deployments
+The table shows the minimum requirements for each deployment.
 
-Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
+| Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed | 
+| --- | --- | --- | --- |
+| Windows 10, version 1511 or later| Windows 10, version 1703 or later (domain joined)</br>Windows 10, version 1511 or later (cloud joined) | Windows 10, version 1511 or later | Windows 10, version 1511 or later |
+| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
+| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
+| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
+| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
+| N/A | Windows Server 2016 AD FS with KB4022723 update (domain joined), and</br>Windows Server 2012 or later Network Device Enrollment Service (cloud joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
+| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
+| Azure Account | Azure Account | Azure Account | Azure Account |
+| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
+| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | 
+| Azure AD Premium, optional | Azure AD Premium, needed for device writeback | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
 
+### On-premises Deployments 
+The table shows the minimum requirements for each deployment.
 
-## The difference between Windows Hello and Windows Hello for Business
+| Key trust </br> Group Policy managed | Certificate trust </br> Group Policy managed|
+| --- | --- | 
+| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
+| Windows Server 2016 Schema | Windows Server 2016 Schema|
+| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
+| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
+| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
+| N/A | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) |
+| AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |
+| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
 
-- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. 
+## Frequently Asked Questions
 
-- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+### Do I need Windows Server 2016 domain controllers?
+There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
 
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+### Is Windows Hello for Business multifactor authentication?
+Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you.  Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
 
-## Benefits of Windows Hello
+### Can I use PIN and biometrics to unlock my device?
+No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the device with multiple factors.
 
-Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+### What is the difference between Windows Hello and Windows Hello for Business
+Windows Hello represents the biometric framework provided in Windows 10.  Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics.  Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
 
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+### I have extended Active Directory to Azure Active Directory.  Can I use the on-prem deployment model?
+No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model.  On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
 
-In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+### Does Windows Hello for Business work with third party federation servers?
+Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience.  Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
 
->[!NOTE]
->Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+| Protocol | Description |
+| :---: | :--- |
+| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |  
+| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider metadata that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
 
-![How authentication works in Windows Hello](images/authflow.png)
-
-Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
-
-Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-
- 
-## How Windows Hello for Business works: key points
-
--   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
--   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
--   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
--   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
--   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
--   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
--   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
-
-For details, see [How Windows Hello for Business works](hello-how-it-works.md).
-
-## Comparing key-based and certificate-based authentication
-
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-
-
-
-## Learn more
-
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
-
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
-
-[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-
-[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
-
-## Related topics
-
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
- 
+### Does Windows Hello for Business work with Mac and Linux clients?
+Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms.  However, Microsoft is open to third parties who are interested in moving these platforms away from passwords.  Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
diff --git a/windows/access-protection/hello-for-business/hello-manage-in-organization.md b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
index 8ef71c6d85..6d8b9b37a2 100644
--- a/windows/access-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/access-protection/hello-for-business/hello-manage-in-organization.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-overview.md b/windows/access-protection/hello-for-business/hello-overview.md
new file mode 100644
index 0000000000..3aa57fa4e5
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-overview.md
@@ -0,0 +1,123 @@
+---
+title: Windows Hello for Business (Windows 10)
+description: An overview of Windows Hello for Business 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+---
+# Windows Hello for Business Overview
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+
+>[!NOTE]
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+
+Windows Hello addresses the following problems with passwords:
+-   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+-   Server breaches can expose symmetric network credentials (passwords).
+-   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+Windows Hello lets users authenticate to:
+-   a Microsoft account.
+-   an Active Directory account.
+-   a Microsoft Azure Active Directory (Azure AD) account.
+-   Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+
+After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
+
+As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+
+## Biometric sign-in
+ 
+ Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials.
+ 
+- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. 
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. 
+
+Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. 
+
+
+## The difference between Windows Hello and Windows Hello for Business
+
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, however it is not backed by asymmetric (public/private key) or certificate-based authentication. 
+
+- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
+
+- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
+
+## Benefits of Windows Hello
+
+Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
+
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+
+>[!NOTE]
+>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+
+![How authentication works in Windows Hello](images/authflow.png)
+
+Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
+
+Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+
+
+ 
+## How Windows Hello for Business works: key points
+
+-   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+-   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+-   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
+-   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+-   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
+-   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+-   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+
+For details, see [How Windows Hello for Business works](hello-how-it-works.md).
+
+## Comparing key-based and certificate-based authentication
+
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+
+
+
+## Learn more
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+
+[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+
+[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
+
+[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+
+[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
+
+[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+
+[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
+
+[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
+
+## Related topics
+
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+ 
diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md
new file mode 100644
index 0000000000..84a8935184
--- /dev/null
+++ b/windows/access-protection/hello-for-business/hello-planning-guide.md
@@ -0,0 +1,319 @@
+---
+title: Planning a Windows Hello for Business Deployment
+description: A guide to planning a Windows Hello for Business deployment 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: DaniHalfin
+ms.localizationpriority: high
+---
+# Planning a Windows Hello for Business Deployment
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+> This guide only applies to Windows 10, version 1511 or higher.
+
+Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
+  
+This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you’ll use that information to select the correct deployment guide for your needs.
+
+## Using this guide
+
+There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they’ve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization.
+
+This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you’ll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier.
+
+### How to Proceed
+
+Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
+
+There are six major categories you need to consider for a Windows Hello for Business deployment.  Those categories are:
+*	Deployment Options
+*   Client
+*   Management
+*   Active Directory
+*   Public Key Infrastructure
+*   Cloud
+
+### Baseline Prerequisites
+
+Windows Hello for Business has a few baseline prerequisites with which you can begin.  These baseline prerequisites are provided in the worksheet. 
+
+### Deployment Options
+
+The goal of Windows Hello for Business is to enable deployments for all organizations of any size or scenario. To provide this type of granular deployment, Windows Hello for Business offers a diverse choice of deployment options.
+
+#### Deployment models
+
+There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
+
+##### Cloud only
+The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources.  These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others.  Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
+
+##### Hybrid
+The hybrid deployment model is for organizations that: 
+* Are federated with Azure Active Directory
+* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+##### On-premises
+The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory.
+
+
+It’s fundamentally important to understand which deployment model to use for a successful deployment.  Some of aspects of the deployment may already be decided for you based on your current infrastructure.
+
+#### Trust types
+
+A deployments trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trusts types, key trust and certificate trust.
+  
+The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.
+
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authentication using their certificate to any Windows Server 2008 R2 or later domain controller.
+
+#### Device registration
+
+All devices included in the Windows Hello for Business deployment must go through device registration.  Device registration enables devices to authenticate to identity providers.  For cloud only and hybrid deployment, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running the Windows Server 2016 Active Directory Federation Services (AD FS) role.
+
+#### Key registration
+
+The in-box Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+
+#### Multifactor authentication
+
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that providers easy two-factor authentication.  The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+
+Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use from the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+>[!NOTE]
+> Azure Multi-Factor Authentication is available through a:
+>* Microsoft Enterprise Agreement
+>* Open Volume License Program
+>* Cloud Solution Providers program
+>* Bundled with
+>    * Azure Active Directory Premium
+>    * Enterprise Mobility Suite
+>    * Enterprise Cloud Suite
+>* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information)
+
+#### Directory synchronization
+
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronization Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
+
+### Management
+
+Windows Hello for Business provides organizations with a rich set of granular policy setting with which they can use to manage their devices and users.  There are three ways in which you can manage Windows Hello for Business: Group Policy, Modern Management, and Mixed.
+
+#### Group Policy
+
+Group Policy is the easiest and most popular way to manage Windows Hello for Business on domain joined devices.  Simply create a Group Policy object with the settings you desire. Link the Group Policy object high in your Active Directory and use security group filtering to target specific sets of computers or users.  Or, link the GPO directly to the organizational units.  
+
+#### Modern management
+
+Modern management is an emerging device management paradigm that leverages the cloud for managing domain joined and non-domain joined devices.   Organizations can unify their device management into one platform and apply policy settings using a single platform
+
+### Client
+
+Windows Hello for Business is an exclusive Windows 10 feature.  As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios.
+
+Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update.  The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment.  Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
+
+
+### Active Directory
+
+Hybrid and on-premises deployments include Active Directory as part of their infrastructure.  Most of the Active Directory requirements, such as schema, and domain and forest functional levels are predetermined.  However, your trust type choice for authentication determines the version of domain controller needed for the deployment.
+
+### Public Key Infrastructure
+
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+
+### Cloud
+
+Some deployment combinations require an Azure account and some require Azure Active Directory for user identities.  These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional.
+
+## Planning a Deployment
+
+Planning your Windows Hello for Business deployment begins with choosing a deployment type.  Like all distributed systems, Windows Hello for Business depends on multiple components within your organization’s infrastructure.
+
+Use the remainder of this guide to help with planning your deployment.  As you make decisions, write the results of those decisions in your planning worksheet.  When finished, you’ll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment.
+
+### Deployment Model
+
+Choose the deployment model based on the resources your users access.  Use the following guidance to make your decision.
+
+If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet.
+
+If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hyrbid** in box **1a** on your planning worksheet.
+
+If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
+>[!NOTE]
+>If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from and elevated Windows PowerShell prompt and evaluate the results.  
+>```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com -Properties keywords```
+>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exists, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
+>* If the command returns a value, compare that value with the values below.  The value indicates the deployment model you should implement
+>    * If the value begins with **azureADName:**  – write **Hybrid** in box **1a**on your planning worksheet.
+ >   * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
+
+### Trust type
+
+Choose a trust type that is best suited for your organizations.  Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
+
+If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
+
+If your organization wants to use the certificate trust type, write **certificate trust** in box **1b** on your planning worksheet.  Write **Windows Server 2008 R2 or later** in box **4d**.  In box **5c**, write **smart card logon** under the **Template Name** column and write **users** under the **Issued To** column on your planning worksheet.
+
+### Device Registration
+
+A successful Windows Hello for Business requires all devices to register with the identity provider.  The identity provider depends on the deployment model.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1c** on your planning worksheet.
+
+### Key Registration
+
+All users provisioning Windows Hello for Business have their public key registered with the identity provider.  The identity provider depends on the deployment model.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1d** on your planning worksheet.
+
+### Directory Synchronization
+
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multifactor authentication during provisioning or writing the user’s public key.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
+
+If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
+
+### Multifactor Authentication
+
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+
+If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service.  Write **Azure MFA** in box **1f** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **hybrid**, then you have a few options, some of which depend on your directory synchronization configuration. The options from which you may choose include:
+* Directly use Azure MFA cloud service
+* Use AD FS w/Azure MFA cloud service adapter
+* Use AD FS w/Azure MFA Server adapter
+* Use AD FS w/3rd Party MFA Adapter
+
+You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service.
+  
+If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service.  Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service.  If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet.
+
+You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet.
+
+Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory.  The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication.  If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet.
+
+The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication.  If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options.  You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. 
+
+If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet.
+
+### Management 
+
+Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users.  The type of policy management you can use depends on your selected deployment and trust models.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet.  You have the option to manage non-domain joined devices.  If you choose to manage Azure Active Directory joined devices, write **modern management** in box **2b** on your planning worksheet.  Otherwise, write** N/A** in box **2b**.
+
+>[!NOTE]
+> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+
+If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
+
+Managing hybrid deployments includes two categories of devices to consider for your Windows Hello for Business deployment—domain joined and non-domain joined.  All devices are registered, however, not all devices are domain joined.  You have the option of using Group Policy for domain joined devices and modern management for non-domain joined devices. Or, you can use modern management for both domain and non-domain joined devices.  
+
+If you use Group Policy to manage your domain joined devices, write **GP** in box **2a** on your planning worksheet, Write **modern management** in box **2b** if you decide to manage non-domain joined devices; otherwise, write **N/A**.  
+
+If you use modern management for both domain and non-domain joined devices, write **modern management** in box **2a** and **2b** on your planning worksheet.
+
+### Client
+
+Windows Hello for Business is a feature exclusive to Windows 10.   Some deployments and features are available using earlier versions of Windows 10.  Others need the latest versions.
+
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet.  Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+>[!NOTE] 
+>Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
+
+Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. 
+* Box **2a** on your planning worksheet read **modern management**. 
+    * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**.
+    *Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+
+Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true.
+* Box **1a** on your planning worksheet reads **on-premises**.  
+  Write **N/A** in box **3b** on your planning worksheet.
+* Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **certificate trust**, and box **2a** reads **GP**.
+    * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+
+### Active Directory
+
+The Active Directory portion of the planning guide should be complete.  Most of conditions are baseline prerequisites except for your domain controllers.  The domain controllers used in your deployment are decided by the chosen trust type. 
+
+Review the trust type portion of this section if box **4d** on your planning worksheet remains empty.
+
+### Public Key Infrastructure
+
+Public key infrastructure prerequisites already exist on your planning worksheet.  These conditions are the minimum requirements for any hybrid our on-premises deployment.  Additional conditions may be needed based on your trust type.
+
+If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet.  Cloud only deployments do not use a public key infrastructure.
+
+If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet.
+
+The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices.
+
+If box **3a** reads **GP** and box **3b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet.  In box **5c**, write the following certificate templates names and issuances:
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | AD FS RA | 
+| Web Server | AD FS RA | 
+| Exchange Enrollment Agent | NDES |
+| Web Server | NDES |
+| CEP Encryption | NDES |
+
+If box **3a** reads **GP** and box **3b** reads **N/A**, write **AD FA RA** in box **5b** and write the following certificate template names and issuances in box **5c** on your planning worksheet.
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | AD FS RA | 
+| Web Server | AD FS RA | 
+
+If box **3a** or **3b** reads modern management, write **NDES** in box **5b** and write the following certificate template names and issuances in box 5c on your planning worksheet.
+
+| Certificate Template Name | Issued To |
+| --- | --- |
+| Exchange Enrollment Agent | NDES |
+| Web Server | NDES |
+| CEP Encryption | NDES |
+
+### Cloud
+
+Nearly all deployments of Windows Hello for Business require an Azure account.
+
+If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Yes** in boxes **6a** and **6b** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **1f** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
+
+Windows Hello for Business does not require an Azure AD premium subscription.  However, some dependencies do.
+
+If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
+
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet.  You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multifactor authentication).
+
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device writeback—an Azure AD Premium feature.
+
+Modern managed devices do not require an Azure AD premium subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
+
+If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet.  Otherwise, write **No** in box **6c**.
+
+## Congratulations, You’re Done
+
+Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment.
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
index eaa96377ed..c0ac1449b3 100644
--- a/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index a224eeab82..d3f89032e3 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -33,7 +33,7 @@ A password is transmitted to the server -- it can be intercepted in transmission
 When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
 
 >[!NOTE]
->For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
+>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
  
 ## PIN is backed by hardware
 
diff --git a/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png b/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
new file mode 100644
index 0000000000..374d8f1297
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-adfs-configure-2012r2.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png
new file mode 100644
index 0000000000..7f0be5249d
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-cmd-netdom.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png
new file mode 100644
index 0000000000..cc78ba41cf
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-internal-web-server-cert.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png
new file mode 100644
index 0000000000..72c94fb321
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-company-settings.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png
new file mode 100644
index 0000000000..64f85b1f54
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-content-edit-email.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png
new file mode 100644
index 0000000000..6894047f98
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-sync-item.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
new file mode 100644
index 0000000000..3167588d7b
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-mfa-user-portal-settings.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png b/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png
new file mode 100644
index 0000000000..49b06a8cc2
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-add-ip.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
new file mode 100644
index 0000000000..e74cc5f586
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
new file mode 100644
index 0000000000..c8d406f45f
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png b/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png
new file mode 100644
index 0000000000..3c4e29b213
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-cluster.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-connect.png b/windows/access-protection/hello-for-business/images/hello-nlb-connect.png
new file mode 100644
index 0000000000..c5aac0791e
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-connect.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png b/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png
new file mode 100644
index 0000000000..3ab085a804
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-feature-install.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello-nlb-manager.png b/windows/access-protection/hello-for-business/images/hello-nlb-manager.png
new file mode 100644
index 0000000000..61af244a4c
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello-nlb-manager.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_filter.png b/windows/access-protection/hello-for-business/images/hello_filter.png
new file mode 100644
index 0000000000..611bbfad70
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_filter.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_gear.png b/windows/access-protection/hello-for-business/images/hello_gear.png
new file mode 100644
index 0000000000..b74cf682ac
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_gear.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_lock.png b/windows/access-protection/hello-for-business/images/hello_lock.png
new file mode 100644
index 0000000000..5643cecec0
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_lock.png differ
diff --git a/windows/access-protection/hello-for-business/images/hello_users.png b/windows/access-protection/hello-for-business/images/hello_users.png
new file mode 100644
index 0000000000..c6750396dd
Binary files /dev/null and b/windows/access-protection/hello-for-business/images/hello_users.png differ
diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md
new file mode 100644
index 0000000000..e99fabcb82
--- /dev/null
+++ b/windows/access-protection/hello-for-business/toc.md
@@ -0,0 +1,23 @@
+# [Windows Hello for Business](hello-identity-verification.md)
+
+## [Windows Hello for Business Overview](hello-overview.md)
+## [How Windows Hello for Business works](hello-how-it-works.md)
+## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+## [Windows Hello and password changes](hello-and-password-changes.md)
+## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
+
+## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
+
+### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
+#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
+#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
+#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md)
+#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
diff --git a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
index c6d37fa5e8..233a60e8e8 100644
--- a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install digital certificates on Windows 10 Mobile
diff --git a/windows/access-protection/user-account-control/user-account-control-overview.md b/windows/access-protection/user-account-control/user-account-control-overview.md
index a273e12688..15a9a0a383 100644
--- a/windows/access-protection/user-account-control/user-account-control-overview.md
+++ b/windows/access-protection/user-account-control/user-account-control-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/access-protection/vpn/vpn-authentication.md b/windows/access-protection/vpn/vpn-authentication.md
index fa0b7a5592..89140757bf 100644
--- a/windows/access-protection/vpn/vpn-authentication.md
+++ b/windows/access-protection/vpn/vpn-authentication.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN authentication options
diff --git a/windows/access-protection/vpn/vpn-auto-trigger-profile.md b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
index dbbe91c8cb..497918050e 100644
--- a/windows/access-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/access-protection/vpn/vpn-auto-trigger-profile.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN auto-triggered profile options
diff --git a/windows/access-protection/vpn/vpn-conditional-access.md b/windows/access-protection/vpn/vpn-conditional-access.md
index 073b24b8fd..1bbcc1daef 100644
--- a/windows/access-protection/vpn/vpn-conditional-access.md
+++ b/windows/access-protection/vpn/vpn-conditional-access.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN and conditional access
diff --git a/windows/access-protection/vpn/vpn-connection-type.md b/windows/access-protection/vpn/vpn-connection-type.md
index 39f933d548..2896f7a271 100644
--- a/windows/access-protection/vpn/vpn-connection-type.md
+++ b/windows/access-protection/vpn/vpn-connection-type.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN connection types
diff --git a/windows/access-protection/vpn/vpn-guide.md b/windows/access-protection/vpn/vpn-guide.md
index 138b74295c..f90e404b12 100644
--- a/windows/access-protection/vpn/vpn-guide.md
+++ b/windows/access-protection/vpn/vpn-guide.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows 10 VPN technical guide
diff --git a/windows/access-protection/vpn/vpn-name-resolution.md b/windows/access-protection/vpn/vpn-name-resolution.md
index 1a40cd73b6..b9c5a697f2 100644
--- a/windows/access-protection/vpn/vpn-name-resolution.md
+++ b/windows/access-protection/vpn/vpn-name-resolution.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN name resolution
diff --git a/windows/access-protection/vpn/vpn-profile-options.md b/windows/access-protection/vpn/vpn-profile-options.md
index 58f005e2be..2caa8c2493 100644
--- a/windows/access-protection/vpn/vpn-profile-options.md
+++ b/windows/access-protection/vpn/vpn-profile-options.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN profile options
diff --git a/windows/access-protection/vpn/vpn-routing.md b/windows/access-protection/vpn/vpn-routing.md
index 597d5cad4a..3796a83687 100644
--- a/windows/access-protection/vpn/vpn-routing.md
+++ b/windows/access-protection/vpn/vpn-routing.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN routing decisions
diff --git a/windows/access-protection/vpn/vpn-security-features.md b/windows/access-protection/vpn/vpn-security-features.md
index ed34d30dc0..cfc51f33ce 100644
--- a/windows/access-protection/vpn/vpn-security-features.md
+++ b/windows/access-protection/vpn/vpn-security-features.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, networking
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # VPN security features
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 7f815bfe0e..1a3cdacf44 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -99,3 +99,6 @@
 #### [Application Publishing and Client Interaction](app-v/appv-application-publishing-and-client-interaction.md)
 #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
 #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+## [Service Host process refactoring](svchost-service-refactoring.md)
+## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
+## [Change history for Application management](change-history-for-application-management.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
new file mode 100644
index 0000000000..92e5039334
--- /dev/null
+++ b/windows/application-management/change-history-for-application-management.md
@@ -0,0 +1,23 @@
+---
+title: Change history for Configure Windows 10 (Windows 10)
+description: This topic lists changes to documentation for configuring Windows 10.
+keywords: 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jdeckerms
+---
+
+# Change history for Configure Windows 10
+
+This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## July 2017
+| New or changed topic | Description |
+| --- | --- |
+| [Service Host process refactoring](svchost-service-refactoring.md) | New |
+| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
+
+
diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
new file mode 100644
index 0000000000..94540ed17d
--- /dev/null
+++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
@@ -0,0 +1,58 @@
+---
+title: Application upgrades on Windows 10 Mobile
+description: Learn how to deploy upgrades to applications running on Windows 10 Mobile.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/20/2017
+---
+# Deploy application upgrades on Windows 10 Mobile
+
+> Applies to: Windows 10
+
+When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With  [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence).
+
+There are two steps to deploy an app upgrade:
+
+1. [Define the supersedence](#define-app-supersedence) - this lets Configuration Manager know that the old version should be replaced by the new version.
+2. [Deploy the upgrade](#deploy-the-app-upgrade) to your users.
+
+The following steps walk you through the upgrade deployment process - we have an upgraded version of the Walking Scorer app (moving from version 12.23.2.0 to 12.23.3.0). Becasuse we previously used Configuration Manager to deploy the existing version, we'll use it now to upgrade the app. 
+
+Before you can deploy the upgrade, make sure you import the new version of the app and distribute it to your manage.microsoft.com distribution point.
+
+
+
+## Define app supersedence
+
+1. In the Configuration Manager console, open the Software Library, and then find the new version of your app.
+   ![The Software Library in Configuration Manager](media/app-upgrade-cm-console.png)
+
+2. Right-click the new version, and then click **Properties**.
+3. Click the **Supersedence** tab - there shouldn't be any supersedence rules yet. We'll add one next.
+   ![The list of supersedence rules for the app](media/app-upgrade-no-supersedence.png)
+
+4. Click **Add**, browse to the existing (older) version of the app that you're upgrading, and then click **OK**.
+5. Under **New Deployment Type** select the new version of the app. (When you imported the new version, it comes in as a new deployment type. If you're upgrading a Universal application, you'll see only one type here.)
+   ![Create a supersedence rule for the new version of the app](media/app-upgrade-supersede-deploy-type.png)
+   > [!IMPORTANT] 
+   > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version.
+
+6. Click **OK**.
+7. If you have other versions of the same app, repeate steps 4-6 for each version. Click **OK** when you're done.
+
+> [!NOTE]
+> Need to remove a supersedence? (Maybe the new version turned out to be flaky and you don't want users to get it yet.) On the **Supersedence** tab for the *new* version of the app, double-click the older version in the list of supersedence rules, and then change the **New Deployment Type** to **Do not replace**.
+
+## Deploy the app upgrade
+
+You're now ready to deploy the upgrade. On the **Home** tab in Configuration Manager, select the new version of the app, and then click **Deploy**, and follow the instructions in the wizard. When asked, set the **Purpose** to **Required**.
+
+You don't need to delete the deployment associated with the older version of the app. The status for that deployment will change to **Requirements not met** in the **Monitoring** view:
+
+![Monitoring view in Configuration Manager for the old version of the app](media/app-upgrade-old-version.png)
+
+If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
\ No newline at end of file
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index b7ce77366d..d6c32fbe93 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Windows 10 application management
@@ -13,10 +13,12 @@ localizationpriority: medium
 **Applies to**
 -   Windows 10
 
-Learn about managing applications in Window 10 and Windows 10 Mobile clients.
+Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
 
 
 | Topic | Description |
 |---|---|
 |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
 |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
+| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10  |
+| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile  |
diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png
new file mode 100644
index 0000000000..8681e2fb39
Binary files /dev/null and b/windows/application-management/media/app-upgrade-cm-console.png differ
diff --git a/windows/application-management/media/app-upgrade-no-supersedence.png b/windows/application-management/media/app-upgrade-no-supersedence.png
new file mode 100644
index 0000000000..9a9bb9bb53
Binary files /dev/null and b/windows/application-management/media/app-upgrade-no-supersedence.png differ
diff --git a/windows/application-management/media/app-upgrade-old-version.png b/windows/application-management/media/app-upgrade-old-version.png
new file mode 100644
index 0000000000..e430be170e
Binary files /dev/null and b/windows/application-management/media/app-upgrade-old-version.png differ
diff --git a/windows/application-management/media/app-upgrade-supersede-deploy-type.png b/windows/application-management/media/app-upgrade-supersede-deploy-type.png
new file mode 100644
index 0000000000..24a45c5939
Binary files /dev/null and b/windows/application-management/media/app-upgrade-supersede-deploy-type.png differ
diff --git a/windows/application-management/media/svchost-grouped-processes.png b/windows/application-management/media/svchost-grouped-processes.png
new file mode 100644
index 0000000000..d85f8e8951
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-processes.png differ
diff --git a/windows/application-management/media/svchost-grouped-utilization.png b/windows/application-management/media/svchost-grouped-utilization.png
new file mode 100644
index 0000000000..cd46b0d4b4
Binary files /dev/null and b/windows/application-management/media/svchost-grouped-utilization.png differ
diff --git a/windows/application-management/media/svchost-separated-processes.png b/windows/application-management/media/svchost-separated-processes.png
new file mode 100644
index 0000000000..83df0fe580
Binary files /dev/null and b/windows/application-management/media/svchost-separated-processes.png differ
diff --git a/windows/application-management/media/svchost-separated-utilization.png b/windows/application-management/media/svchost-separated-utilization.png
new file mode 100644
index 0000000000..5c5834cc44
Binary files /dev/null and b/windows/application-management/media/svchost-separated-utilization.png differ
diff --git a/windows/application-management/media/svchost-separation-disabled.png b/windows/application-management/media/svchost-separation-disabled.png
new file mode 100644
index 0000000000..5e0e57da92
Binary files /dev/null and b/windows/application-management/media/svchost-separation-disabled.png differ
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
new file mode 100644
index 0000000000..e2f00263db
--- /dev/null
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -0,0 +1,91 @@
+---
+title: Service Host service refactoring in Windows 10 version 1703
+description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: kaushika-ainapure
+author: kaushika-msft
+ms.date: 07/19/2017
+---
+
+# Changes to Service Host grouping in Windows 10
+
+> Applies to: Windows 10
+
+The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance does not affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
+
+* Local Service
+* Local Service No Network
+* Local Service Network Restricted
+* Local System
+* Local System Network Restricted 
+* Network Service
+
+## Separating SvcHost services
+
+Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process. 
+
+Benefits of this design change include:
+
+* Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
+* Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
+* Increased security by providing additional inter-service isolation 
+* Increased scalability by allowing per-service settings and privileges 
+* Improved resource management through per-service CPU, I/O and memory management and increase clear telemetry (report CPU, I/O and network usage per service).
+
+>**Try This**
+>
+> To see the refactoring behavior, create a Windows 10 version 1703 VM and configure the memory settings as follows:
+> 1.	To see grouped processes, set the RAM to 3484 MB or less. Restart the VM and then open Task Manager.
+> 2.	To see separated processes, set the RAM to 3486 MB or greater. Restart the VM and then open Task Manager.
+
+
+Refactoring also makes it easier to view running processes in Task Manager. You can look at Task Manager and know exactly which service is using what resources, without having to expand many separate host groups.
+
+For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
+
+![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) 
+  
+Compare that to the same view of running processes in Windows 10 version 1703:
+
+![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png)
+  
+ 
+
+
+## Exceptions
+Some services will continue to be grouped on PCs running with 3.5GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
+
+If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under 
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
+
+The default value of **1** prevents the service from being split.
+
+For example, this is the registry key configuration for BFE:
+![Example of a service that cannot be separated](media/svchost-separation-disabled.png)
+
+## Memory footprint
+
+Be aware that separating services increases the total number of SvcHost instances, which increases memory utlization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
+
+Consider the following:
+
+
+|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
+|--------------------------------------- | ------------------------------------------ | 
+|![Memory utilization for grouped services](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
+
+> [!NOTE]
+> The above represents the peak observed values.
+
+The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services. 
+
+> **Try This**
+>
+>To determine the impact of splitting hosted services on a Windows 10 version 1703 PC, run the following Windows PowerShell cmdlet, before and after toggling the memory settings:
+>
+> ```powershell
+> Get-Process SvcHost | Group-Object -Property ProcessName | Format-Table Name, Count, @{n='Mem (KB)';e={'{0:N0}' -f (($_.Group|Measure-Object WorkingSet -Sum).Sum / 1KB)};a='right'} -AutoSize
+>```
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 60a5ca32e6..4c8d8e4316 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Administrative Tools in Windows 10
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index e3193c1854..457e51889a 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerMS
 ms.author: jdecker
 ms.date: 06/13/2017
@@ -16,6 +16,12 @@ ms.date: 06/13/2017
 
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## July 2017 
+
+| New or changed topic | Description |
+| --- | --- |
+| [Group Policy settings that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | Added that Start layout policy setting can be applied to Windows 10 Pro, version 1703 |
+
 ## June 2017
 
 | New or changed topic | Description |
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index cb6ad29962..43db69d30f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Connect to remote Azure Active Directory-joined PC
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index ecb2e27c4a..ff39d3cc04 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: brianlic-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
@@ -23,9 +23,9 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
 | **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
-| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight |
+| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
 | **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
-| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies)  |
+| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies)  |
 | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
 | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
 | **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
diff --git a/windows/client-management/index.md b/windows/client-management/index.md
index 226c9237e7..68debeba89 100644
--- a/windows/client-management/index.md
+++ b/windows/client-management/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Client management
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 69f6f73aa0..3536562d23 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Join Windows 10 Mobile to Azure Active Directory
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index b5e9a331ae..78ca7c8d39 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage corporate devices
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 1607cad11f..396ee16956 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 in your organization - transitioning to modern management
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index e249f70aa6..e9a60b1ed6 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -17,8 +17,7 @@ ms.date: 06/13/2017
 
 -   Windows 10
 
-> [!NOTE]
-> When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 
+
 
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 
 
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 45051db6b8..f586df7407 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -167,6 +167,73 @@
 ### [Policy CSP](policy-configuration-service-provider.md)
 #### [Policy DDF file](policy-ddf-file.md)
 #### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md)
+#### [AboveLock](policy-csp-abovelock.md)
+#### [Accounts](policy-csp-accounts.md)
+#### [ActiveXControls](policy-csp-activexcontrols.md)
+#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
+#### [ApplicationManagement](policy-csp-applicationmanagement.md)
+#### [AppVirtualization](policy-csp-appvirtualization.md)
+#### [AttachmentManager](policy-csp-attachmentmanager.md)
+#### [Authentication](policy-csp-authentication.md)
+#### [Autoplay](policy-csp-autoplay.md)
+#### [Bitlocker](policy-csp-bitlocker.md)
+#### [Bluetooth](policy-csp-bluetooth.md)
+#### [Browser](policy-csp-browser.md)
+#### [Camera](policy-csp-camera.md)
+#### [Cellular](policy-csp-cellular.md)
+#### [Connectivity](policy-csp-connectivity.md)
+#### [CredentialProviders](policy-csp-credentialproviders.md)
+#### [CredentialsUI](policy-csp-credentialsui.md)
+#### [Cryptography](policy-csp-cryptography.md)
+#### [DataProtection](policy-csp-dataprotection.md)
+#### [DataUsage](policy-csp-datausage.md)
+#### [Defender](policy-csp-defender.md)
+#### [DeliveryOptimization](policy-csp-deliveryoptimization.md)
+#### [Desktop](policy-csp-desktop.md)
+#### [DeviceGuard](policy-csp-deviceguard.md)
+#### [DeviceInstallation](policy-csp-deviceinstallation.md)
+#### [DeviceLock](policy-csp-devicelock.md)
+#### [Display](policy-csp-display.md)
+#### [Education](policy-csp-education.md)
+#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
+#### [ErrorReporting](policy-csp-errorreporting.md)
+#### [EventLogService](policy-csp-eventlogservice.md)
+#### [Experience](policy-csp-experience.md)
+#### [Games](policy-csp-games.md)
+#### [InternetExplorer](policy-csp-internetexplorer.md)
+#### [Kerberos](policy-csp-kerberos.md)
+#### [Licensing](policy-csp-licensing.md)
+#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
+#### [Location](policy-csp-location.md)
+#### [LockDown](policy-csp-lockdown.md)
+#### [Maps](policy-csp-maps.md)
+#### [Messaging](policy-csp-messaging.md)
+#### [NetworkIsolation](policy-csp-networkisolation.md)
+#### [Notifications](policy-csp-notifications.md)
+#### [Power](policy-csp-power.md)
+#### [Printers](policy-csp-printers.md)
+#### [Privacy](policy-csp-privacy.md)
+#### [RemoteAssistance](policy-csp-remoteassistance.md)
+#### [RemoteDesktopServices](policy-csp-remotedesktopservices.md)
+#### [RemoteManagement](policy-csp-remotemanagement.md)
+#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
+#### [RemoteShell](policy-csp-remoteshell.md)
+#### [Search](policy-csp-search.md)
+#### [Security](policy-csp-security.md)
+#### [Settings](policy-csp-settings.md)
+#### [SmartScreen](policy-csp-smartscreen.md)
+#### [Speech](policy-csp-speech.md)
+#### [Start](policy-csp-start.md)
+#### [Storage](policy-csp-storage.md)
+#### [System](policy-csp-system.md)
+#### [TextInput](policy-csp-textinput.md)
+#### [TimeLanguageSettings](policy-csp-timelanguagesettings.md)
+#### [Update](policy-csp-update.md)
+#### [Wifi](policy-csp-wifi.md)
+#### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
+#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
+#### [WindowsLogon](policy-csp-windowslogon.md)
+#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
 ### [PolicyManager CSP](policymanager-csp.md)
 ### [Provisioning CSP](provisioning-csp.md)
 ### [PROXY CSP](proxy-csp.md)
@@ -218,6 +285,8 @@
 #### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
 ### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
 #### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
+### [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
+#### [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md)
 ### [WindowsLicensing CSP](windowslicensing-csp.md)
 #### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
 ### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index e1097181a3..8f7f3dd2f0 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -156,6 +156,20 @@ Each of the previous nodes contains one or more of the following leaf nodes:
 <td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
 <p>Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.</p>
 <p>For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.</p>
+<p>Here is a sample certutil invocation:</p>
+
+```
+certutil -encode WinSiPolicy.p7b WinSiPolicy.txt
+```
+
+<p>Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.</p>
+<p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
+
+``` 
+[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
+```
+
+<p>If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
 <p>Data type is string. Supported operations are Get, Add, Delete, and Replace.</p></td>
 </tr>
 <tr class="even">
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 8c6466d2d4..59f79b2a6c 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
 ---
 
 # AssignedAccess CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
 
@@ -19,8 +21,6 @@ For step-by-step guide for setting up devices to run in kiosk mode, see [Set up
 
 > **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
- 
-
 The following diagram shows the AssignedAccess configuration service provider in tree format
 
 ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
@@ -36,21 +36,29 @@ In Windows 10, version 1607, you can use a provisioned app to configure the kio
 Here's an example:
 
 ``` syntax
-{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
+{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
 ```
 
 When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
 
 > **Note**  The domain name can be optional if the user name is unique across the system.
 
- 
 
 For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
 
+
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 
-## Examples
+<a href="" id="assignedaccess-configuration"></a>**AssignedAccess/Configuration**  
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). 
 
+Enterprises can use this to easily configure and manage the curated lockdown experience. 
+
+Supported operations are Add, Get, Delete, and Replace.
+
+Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
+
+## Examples
 
 KioskModeApp Add
 
@@ -132,11 +140,319 @@ KioskModeApp Replace
 </SyncML>
 ```
 
+## AssignedAccessConfiguration XSD
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema
+    elementFormDefault="qualified"
+    xmlns:xs="http://www.w3.org/2001/XMLSchema"
+    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
+    >
+
+    <xs:complexType name="profile_list_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
+                <xs:unique name="duplicateRolesForbidden">
+                    <xs:selector xpath="Profile"/>
+                    <xs:field xpath="@Id"/>
+                </xs:unique>
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="profile_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
+                <xs:unique name="ForbidDupApps">
+                    <xs:selector xpath="App"/>
+                    <xs:field xpath="@AppUserModelId"/>
+                    <xs:field xpath="@DesktopAppPath"/>
+                </xs:unique>
+            </xs:element>
+            <xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
+        </xs:sequence>
+        <xs:attribute name="Id" type="guid_t" use="required"/>
+        <xs:attribute name="Name" type="xs:string" use="optional"/>
+    </xs:complexType>
+
+    <xs:complexType name="allappslist_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="allowedapps_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
+                <xs:key name="mutexAumidOrDesktopApp">
+                    <xs:selector xpath="."/>
+                    <xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
+                </xs:key>
+            </xs:element>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="app_t">
+        <xs:attribute name="AppUserModelId" type="xs:string"/>
+        <xs:attribute name="DesktopAppPath" type="xs:string"/>
+    </xs:complexType>
+
+    <xs:complexType name="taskbar_t">
+        <xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="profileId_t">
+        <xs:attribute name="Id" type="guid_t" use="required"/>
+    </xs:complexType>
+
+    <xs:simpleType name="guid_t">
+        <xs:restriction base="xs:string">
+            <xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+    <xs:complexType name="config_list_t">
+        <xs:sequence minOccurs="1" >
+            <xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="config_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <!--below is the definition of the config xml content-->
+    <xs:element name="AssignedAccessConfiguration">
+        <xs:complexType>
+            <xs:all minOccurs="1">
+                <xs:element name="Profiles" type="profile_list_t">
+                </xs:element>
+                <xs:element name="Configs" type="config_list_t"/>
+            </xs:all>
+        </xs:complexType>
+    </xs:element>
+</xs:schema>
+```
+
+## Overview of the AssignedAccessConfiguration XML  
+
+Let's start by looking at the basic structure of the XML file.  
+
+-  A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.  
+-  A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id. 
+-  A profile has no effect if it’s not associated to a user account.  
  
+A profile node has below information:  
 
+-  Id: a GUID attribute to uniquely identify the Profile. 
+-  AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.  
+-  StartLayout: a node for startlayout policy xml.  
+-  Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.  
+
+You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml. 
+
+``` syntax
+<?xml version="1.0" encoding="utf-8" ?> 
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> 
+    <Profiles> 
+        <Profile Id=""> 
+            <AllAppsList> 
+                <AllowedApps/> 
+            </AllAppsList>          
+            <StartLayout/> 
+            <Taskbar/> 
+        </Profile> 
+    </Profiles> 
+    <Configs> 
+        <Config> 
+            <Account/> 
+            <DefaultProfile Id=""/> 
+        </Config> 
+    </Configs> 
+</AssignedAccessConfiguration> 
+```
  
+### Allowed apps
 
+Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.  
 
+-  For Windows apps, you need to provide the App User Model ID (AUMID).  
+   -  [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or  
+   -  Get the AUMID via the [Start Layout XML](#start-layout).  
+-  For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). 
 
+Here are the predefined assigned access AppLocker rules:  
 
+**For UWP apps**
+    
+1. Default rule is to allow all users to launch the signed package apps.  
+2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.  
+ 
+> [!Note]   
+> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.  
+ 
+**For Win32 apps**
 
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.  
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.  
+3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.  
+
+The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.  
+
+``` syntax
+      <AllAppsList> 
+        <AllowedApps> 
+          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+          <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
+        </AllowedApps> 
+      </AllAppsList> 
+```
+
+### Start layout
+
+Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.  
+ 
+The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.  
+
+A few things to note here: 
+
+-  The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.  
+-  Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.  
+-  There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.  
+
+The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.  
+
+```syntax
+      <StartLayout> 
+        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
+                      <LayoutOptions StartTileGroupCellWidth="6" /> 
+                      <DefaultLayoutOverride> 
+                        <StartLayoutCollection> 
+                          <defaultlayout:StartLayout GroupCellWidth="6"> 
+                            <start:Group Name="Group1"> 
+                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+                            </start:Group> 
+                            <start:Group Name="Group2"> 
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
+                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
+                            </start:Group> 
+                          </defaultlayout:StartLayout> 
+                        </StartLayoutCollection> 
+                      </DefaultLayoutOverride> 
+                    </LayoutModificationTemplate> 
+                ]]> 
+      </StartLayout> 
+```
+
+For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
+
+### Taskbar  
+
+Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.  
+The following example exposes the taskbar to the end user: 
+
+``` syntax
+      <Taskbar ShowTaskbar="true"/> 
+```
+The following example hides the taskbar: 
+
+``` syntax
+      <Taskbar ShowTaskbar="false"/> 
+```
+
+> [!Note] 
+> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.  
+
+### Profiles and configs
+
+In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.  
+
+``` syntax
+  <Profiles> 
+    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">…</Profile> 
+  </Profiles>
+```
+
+Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.  
+
+``` syntax
+  <Configs> 
+    <Config> 
+      <Account>MultiAppKioskUser</Account> 
+      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+    </Config> 
+  </Configs>  
+```
+
+> [!Note]  
+> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.   
+> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. 
+
+### Example AssignedAccessConfiguration XML
+
+``` syntax
+<?xml version="1.0" encoding="utf-8" ?> 
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> 
+  <Profiles> 
+    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> 
+      <AllAppsList> 
+        <AllowedApps> 
+          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+          <App DesktopAppPath="%windir%\system32\mspaint.exe" /> 
+          <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> 
+        </AllowedApps> 
+      </AllAppsList> 
+      <StartLayout> 
+        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> 
+                      <LayoutOptions StartTileGroupCellWidth="6" /> 
+                      <DefaultLayoutOverride> 
+                        <StartLayoutCollection> 
+                          <defaultlayout:StartLayout GroupCellWidth="6"> 
+                            <start:Group Name="Group1"> 
+                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> 
+                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> 
+                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> 
+                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
+                            </start:Group> 
+                            <start:Group Name="Group2"> 
+                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> 
+                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> 
+                            </start:Group> 
+                          </defaultlayout:StartLayout> 
+                        </StartLayoutCollection> 
+                      </DefaultLayoutOverride> 
+                    </LayoutModificationTemplate> 
+                ]]> 
+      </StartLayout> 
+      <Taskbar ShowTaskbar="true"/> 
+    </Profile> 
+  </Profiles> 
+  <Configs> 
+    <Config> 
+      <Account>MultiAppKioskUser</Account> 
+      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
+    </Config> 
+  </Configs> 
+</AssignedAccessConfiguration> 
+```
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index f3cb07376f..a5f029da79 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/27/2017
 ---
 
 # AssignedAccess DDF
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
@@ -20,13 +22,15 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-    "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-    [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [
+    <?oma-dm-ddf-ver supported-versions="1.2"?>
+]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
     <VerDTD>1.2</VerDTD>
     <Node>
@@ -46,25 +50,52 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-                <DDFName></DDFName>
+                <MIME>com.microsoft/1.1/MDM/AssignedAccess</MIME>
             </DFType>
         </DFProperties>
         <Node>
             <NodeName>KioskModeApp</NodeName>
             <DFProperties>
                 <AccessType>
+                    <Get />
                     <Add />
                     <Delete />
-                    <Get />
                     <Replace />
                 </AccessType>
-                <Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app. 
+                <Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
 
 Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. 
 
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
 
-This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
+This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.</Description>
+                <DFFormat>
+                    <chr />
+                </DFFormat>
+                <Occurrence>
+                    <One />
+                </Occurrence>
+                <Scope>
+                    <Dynamic />
+                </Scope>
+                <CaseSense>
+                    <CIS />
+                </CaseSense>
+                <DFType>
+                    <MIME>text/plain</MIME>
+                </DFType>
+            </DFProperties>
+        </Node>
+        <Node>
+            <NodeName>Configuration</NodeName>
+            <DFProperties>
+                <AccessType>
+                    <Get />
+                    <Add />
+                    <Delete />
+                    <Replace />
+                </AccessType>
+                <Description>This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.</Description>
                 <DFFormat>
                     <chr />
                 </DFFormat>
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index d3ca116cea..d205a19291 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -52,7 +52,7 @@ Two Azure AD MDM enrollment scenarios:
 -   Joining a device to Azure AD for company-owned devices
 -   Adding a work account to a personal device (BYOD)
 
-In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment.
+In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
 
 In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 2007e89d95..82a438d517 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/06/2017
 ---
 
 # BitLocker CSP
@@ -34,6 +34,11 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
 
+- 0 (default) – Storage cards do not need to be encrypted.
+- 1 – Require Storage cards to be encrypted.  
+
+<p style="margin-left: 20px">Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
+ 
 <p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
 
 ``` syntax
@@ -106,14 +111,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 <p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
 
 <p style="margin-left: 20px"> The possible values for 'xx' are:</p>
-<ul>
-<li>3 = AES-CBC 128</li>
-<li>4 = AES-CBC 256</li>
-<li>6 = XTS-AES 128</li>
-<li>7 = XTS-AES 256</li>
-</ul>
 
-<p style="margin-left: 20px">  If you want to disable this policy use the following SyncML:</p>
+- 3 = AES-CBC 128
+- 4 = AES-CBC 256
+- 6 = XTS-AES 128
+- 7 = XTS-AES 256
+
+> [!Note]  
+> When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
+
+<p style="margin-left: 20px">  If you want to disable this policy use the following SyncML:</p> 
 
 ``` syntax
                           <Replace>
@@ -248,14 +255,16 @@ The following diagram shows the BitLocker configuration service provider in tree
 <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
 ```
 <p style="margin-left: 20px">The possible values for 'xx' are:</p>
-<ul>
-<li>0 = Empty</li>
-<li>1 = Use default recovery message and URL.</li>
-<li>2 = Custom recovery message is set.</li>
-<li>3 = Custom recovery URL is set.</li>
-<li>'yy' = string of max length 900.</li>
-<li>'zz' = string of max length 500.</li>
-</ul>
+
+-  0 = Empty
+-  1 = Use default recovery message and URL.
+-  2 = Custom recovery message is set.
+-  3 = Custom recovery URL is set.
+-  'yy' = string of max length 900.
+-  'zz' = string of max length 500.
+
+> [!Note]  
+> When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
 
 <p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy use the following SyncML:</p>
 
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 392f0820ef..7e2371d151 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -183,14 +183,15 @@ The following diagram shows the CM\_CellularEntries configuration service provid
 <p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
 
 <a href="" id="purposegroups"></a>**PurposeGroups**  
-<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
+<p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
 
 -   Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
 -   MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
 -   IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
 -   SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
--   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  (added in the next version of Windows 10)
--   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  (added in the next version of Windows 10)
+-   Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB  
+-   Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364  
+-   Application - 52D7654A-00A8-4140-806C-087D66705306
 
 ## Additional information
 
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index b9c1c1cd51..f619993de2 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -275,11 +275,11 @@ Footnotes:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
@@ -359,11 +359,11 @@ Footnotes:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
@@ -840,8 +840,8 @@ Footnotes:
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 </tr>
 </table>
 
@@ -2305,6 +2305,37 @@ Footnotes:
 <!--EndCSP-->
 
 <!--StartCSP-->
+
+<!--StartCSP-->
+[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
+<!--StartCSP-->
+
 [WindowsLicensing CSP](windowslicensing-csp.md)  
 
 <!--StartSKU-->
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 9abf518c45..2d8c6f0b32 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -12,6 +12,8 @@ ms.date: 06/19/2017
 
 # DeviceStatus CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
 
@@ -113,32 +115,32 @@ Boolean value that indicates compliance with the enterprise encryption policy. T
 Supported operation is Get.
 
 <a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**  
-Added in , version 1607. Node for the TPM query.
+Added in Windows, version 1607. Node for the TPM query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**  
-Added in , version 1607. String that specifies the specification version.
+Added in Windows, version 1607. String that specifies the specification version.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-os"></a>**DeviceStatus/OS**  
-Added in , version 1607. Node for the OS query.
+Added in Windows, version 1607. Node for the OS query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**  
-Added in , version 1607. String that specifies the OS edition.
+Added in Windows, version 1607. String that specifies the OS edition.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**  
-Added in , version 1607. Node for the antivirus query.
+Added in Windows, version 1607. Node for the antivirus query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antivirus signature.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
 
 Valid values:
 
@@ -149,7 +151,7 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**  
-Added in , version 1607. Integer that specifies the status of the antivirus.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus.
 
 Valid values:
 
@@ -162,27 +164,27 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**  
-Added in , version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the antispyware query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**  
-Added in , version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**  
-Added in , version 1607. Node for the firewall query.
+Added in Windows, version 1607. Node for the firewall query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**  
-Added in , version 1607. Integer that specifies the status of the firewall.
+Added in Windows, version 1607. Integer that specifies the status of the firewall.
 
 Valid values:
 
@@ -195,43 +197,84 @@ Valid values:
 Supported operation is Get.
 
 <a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**  
-Added in , version 1607. Node for the UAC query.
+Added in Windows, version 1607. Node for the UAC query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**  
-Added in , version 1607. Integer that specifies the status of the UAC.
+Added in Windows, version 1607. Integer that specifies the status of the UAC.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**  
-Added in , version 1607. Node for the battery query.
+Added in Windows, version 1607. Node for the battery query.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**  
-Added in , version 1607. Integer that specifies the status of the battery
+Added in Windows, version 1607. Integer that specifies the status of the battery
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**  
-Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
 <a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**  
-Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
- 
-
- 
+<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**  
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
 
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**  
+Added in Windows, version 1709. Node for Device Guard query.
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**  
+Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
+
+-	0x0: System meets hardware configuration requirements
+-	0x1: SecureBoot required 
+-	0x2: DMA Protection required
+-	0x4: HyperV not supported for Guest VM
+-	0x8: HyperV feature is not available
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**  
+Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following:
+-	0 - Running
+-	1 - Reboot required 
+-	2 - 64 bit architecture required 
+-	3 - not licensed 
+-	4 - not configured 
+-	5 - System doesn't meet hardware requirements 
+-	42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+
+
+Supported operation is Get.
+
+<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**  
+Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
+
+-	0 - Running
+-	1 - Reboot required
+-	2 - Not licensed for Credential Guard
+-	3 - Not configured
+-	4 - VBS not running 
+
+
+Supported operation is Get.
 
 
 
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 9fc150cf5b..b9e8608716 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/24/2017
 ---
 
 # DeviceStatus DDF
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -46,7 +48,7 @@ The XML below is the current version for this CSP.
             <Permanent />
           </Scope>
           <DFType>
-              <MIME>com.microsoft/1.2/MDM/DeviceStatus</MIME>
+            <MIME>com.microsoft/1.4/MDM/DeviceStatus</MIME>
           </DFType>
         </DFProperties>
         <Node>
@@ -761,16 +763,108 @@ The XML below is the current version for this CSP.
             </DFProperties>
           </Node>
         </Node>
+        <Node>
+          <NodeName>DomainName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Returns the fully qualified domain name of the device(if any).</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFTitle>DomainName</DFTitle>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DeviceGuard</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>VirtualizationBasedSecurityHwReq</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>VirtualizationBasedSecurityStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>LsaCfgCredGuardStatus</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
       </Node>
 </MgmtTree>
-```
-
- 
-
- 
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 7d94f470b7..222f582e36 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/12/2017
 ---
 
 # EnterpriseAssignedAccess CSP
@@ -26,7 +26,7 @@ The following diagram shows the EnterpriseAssignedAccess configuration service p
 
 The following list shows the characteristics and parameters.
 
-<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**.Vendor/MSFT/EnterpriseAssignedAccess/**  
+<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**  
 The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace.
 
 <a href="" id="assignedaccess-"></a>**AssignedAccess/**  
@@ -39,10 +39,10 @@ Supported operations are Add, Delete, Get and Replace.
 
 The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
 
-> **Important**  
-When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as &lt; instead of &lt; because it is embedded in an XML. The examples provided in the topic are formatted for readability.
+> [!Important]    
+> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \&lt; instead of &lt; because it is embedded in an XML. The examples provided in the topic are formatted for readability.
 
-When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters.
+When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.
 
 Entry | Description
 ----------- | ------------
@@ -136,10 +136,7 @@ An application that belongs in the folder would add an optional attribute **Pare
 
 Entry | Description
 ----------- | ------------
-Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.
-
-> [!Important]  
-> Do not specify a group entry without a page entry because it will cause an undefined behavior.
+Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. For Windows 10, version 1703, see the instructions below for the new way to specify the settings pages.
 
 <ul>
 <li>System (main menu) - SettingsPageGroupPCSystem
@@ -245,12 +242,32 @@ Settings | Starting in Windows 10, version 1511, you can specify the following
 </ul></li>
 </ul>
 
+Entry | Description
+----------- | ------------
+Settings | Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI.
+
+For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.
+
+Here is an example for Windows 10, version 1703.
+
+``` syntax
+<Settings>
+  <System name="ms-settings:display"/>
+  <System name="ms-settings:appsforwebsites"/>
+  <System name="ms-settings:about"/>
+  <System name="ms-settings:camera"/>
+  <System name="ms-settings:nfctransactions"/>
+  <System name="ms-settings:mousetouchpad"/>
+  <System name="ms-settings:usb"/>
+</Settings>
+```
+
 **Quick action settings**  
 
 Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
 
 > [!Note]  
-> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.
+> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
 
 <ul>
 <li><p>SystemSettings_System_Display_QuickAction_Brightness</p>
@@ -287,6 +304,25 @@ Starting in Windows 10, version 1511, you can specify the following quick acti
 <p>Dependencies - none</p></li>
 </ul>
 
+Starting in Windows 10, version 1703, Quick action settings no longer require any dependencis from related group or page. Here is the list:
+- QuickActions_Launcher_AllSettings
+- QuickActions_Launcher_DeviceDiscovery
+- SystemSettings_BatterySaver_LandingPage_OverrideControl
+- SystemSettings_Device_BluetoothQuickAction
+- SystemSettings_Flashlight_Toggle
+- SystemSettings_Launcher_QuickNote
+- SystemSettings_Network_VPN_QuickAction
+- SystemSettings_Privacy_LocationEnabledUserPhone
+- SystemSettings_QuickAction_AirplaneMode
+- SystemSettings_QuickAction_Camera
+- SystemSettings_QuickAction_CellularData
+- SystemSettings_QuickAction_InternetSharing
+- SystemSettings_QuickAction_QuietHours
+- SystemSettings_QuickAction_WiFi
+- SystemSettings_System_Display_Internal_Rotation
+- SystemSettings_System_Display_QuickAction_Brightness
+
+
 In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.  
 
 ``` syntax
@@ -294,7 +330,7 @@ In this example, all settings pages and quick action settings are allowed. An em
 </Settings>
 ```
 
-In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.  
+In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.  
 
 ``` syntax
 <Settings> 
@@ -310,6 +346,19 @@ In this example, all System setting pages are enabled. Note that the System page
   <System name="SettingsPagePCSystemInfo" /> 
  </Settings>
 ```
+Here is an example for Windows 10, version 1703.
+
+``` syntax
+<Settings>
+  <System name="ms-settings:display"/>
+  <System name="ms-settings:appsforwebsites"/>
+  <System name="ms-settings:about"/>
+  <System name="ms-settings:camera"/>
+  <System name="ms-settings:nfctransactions"/>
+  <System name="ms-settings:mousetouchpad"/>
+  <System name="ms-settings:usb"/>
+</Settings>
+```
 
 Entry | Description
 ----------- | ------------
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index f793b9b7af..89037bff06 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/11/2017
 ---
 
 # EnterpriseDesktopAppManagement CSP
@@ -48,6 +48,26 @@ Installation date of the application. Value type is string. Supported operation
 <a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**  
 Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
 
+In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. 
+
+Here is an example:
+
+```syntax
+             <Enforcement>
+
+                <CommandLine>/quiet</CommandLine>
+
+                <TimeOut>5</TimeOut>
+
+                <RetryCount>3</RetryCount>
+
+                <RetryInterval>5</RetryInterval>
+
+                <DownloadFromAad>1</DownloadFromAad>
+
+              </Enforcement>
+```
+
 <a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**  
 Status of the application. Value type is string. Supported operation is Get.
 
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index a1520e20ad..ea69e071b5 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
 -   Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
 -   In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
@@ -297,7 +297,7 @@ After the user is authenticated, the web service retrieves the certificate templ
 
 MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
@@ -482,7 +482,7 @@ The following example shows the enrollment web service request for federated aut
 
 After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
 
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
  
 
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index 14d49cdd89..df8aa48b95 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
index 55b12f6c7f..76c746d95f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png
index 8ef11aeb25..1e31e34b6e 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png and b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png
index 6bf38313ac..a5b77e0b42 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png and b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
new file mode 100644
index 0000000000..8e18128149
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index d71053ae18..ddbd9bfab8 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/28/2017
+ms.date: 08/04/2017
 ---
 
 # What's new in MDM enrollment and management
@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 -   [What's new in Windows 10, version 1511](#whatsnew)
 -   [What's new in Windows 10, version 1607](#whatsnew1607)
 -   [What's new in Windows 10, version 1703](#whatsnew10)
+-   [What's new in Windows 10, version 1709](#whatsnew1709)
 -   [Breaking changes and known issues](#breaking-changes-and-known-issues)
     -   [Get command inside an atomic command is not supported](#getcommand)
     -   [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
@@ -913,6 +914,130 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 </tbody>
 </table> 
 
+## <a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Item</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="even">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)</td>
+<td style="vertical-align:top">In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
+<td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>DeviceStatus/DomainName</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
+<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
+<ul>
+<li>Added Configuration node</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
+<ul>
+<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
+<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
+<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
+<li>DeviceGuard/LsaCfgFlags</li>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li> 
+<li>Power/DisplayOffTimeoutOnBattery</li>
+<li>Power/DisplayOffTimeoutPluggedIn</li>
+<li>Power/HibernateTimeoutOnBattery</li>
+<li>Power/HibernateTimeoutPluggedIn</li>
+<li>Power/StandbyTimeoutOnBattery</li>
+<li>Power/StandbyTimeoutPluggedIn</li>
+<li>Defender/AttackSurfaceReductionOnlyExclusions</li>
+<li>Defender/AttackSurfaceReductionRules</li>
+<li>Defender/CloudBlockLevel </li>
+<li>Defender/CloudExtendedTimeout</li>
+<li>Defender/EnableGuardMyFolders</li>
+<li>Defender/EnableNetworkProtection</li>
+<li>Defender/GuardedFoldersAllowedApplications</li>
+<li>Defender/GuardedFoldersList</li>
+<li>Education/DefaultPrinterName</li>
+<li>Education/PreventAddingNewPrinters</li>
+<li>Education/PrinterNames</li>
+<li>Security/ClearTPMIfNotReady</li>
+<li>Update/ScheduledInstallEveryWeek</li>
+<li>Update/ScheduledInstallFirstWeek</li>
+<li>Update/ScheduledInstallFourthWeek</li>
+<li>Update/ScheduledInstallSecondWeek</li>
+<li>Update/ScheduledInstallThirdWeek</li>
+<li>WindowsDefenderSecurityCenter/CompanyName</li>
+<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
+<li>WindowsDefenderSecurityCenter/DisableEnhancedNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableFamilyUI</li>
+<li>WindowsDefenderSecurityCenter/DisableHealthUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNetworkUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableVirusUI</li>
+<li>WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</li>
+<li>WindowsDefenderSecurityCenter/Email</li>
+<li>WindowsDefenderSecurityCenter/EnableCustomizedToasts</li>
+<li>WindowsDefenderSecurityCenter/EnableInAppCustomization</li>
+<li>WindowsDefenderSecurityCenter/Phone</li>
+<li>WindowsDefenderSecurityCenter/URL</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
 
 ## Breaking changes and known issues
 
@@ -1179,6 +1304,149 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### August 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
+<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
+<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
+<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li> 
+<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li> 
+<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li> 
+<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li> 
+<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li> 
+<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
+</ul>
+<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
+</td></tr>
+</tbody>
+</table>
+
+### July 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
+<td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
+<td style="vertical-align:top">Added the following statements:.
+<ul>
+<li>When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.</li>
+<li>When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top">
+<p>Added the following new policies for Windows 10, version 1709:</p>
+<ul>
+<li>Education/DefaultPrinterName</li>
+<li>Education/PreventAddingNewPrinters</li>
+<li>Education/PrinterNames</li> 
+<li>Security/ClearTPMIfNotReady</li>
+<li>WindowsDefenderSecurityCenter/CompanyName</li>
+<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
+<li>WindowsDefenderSecurityCenter/DisableEnhancedNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableFamilyUI</li>
+<li>WindowsDefenderSecurityCenter/DisableHealthUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNetworkUI</li>
+<li>WindowsDefenderSecurityCenter/DisableNotifications</li>
+<li>WindowsDefenderSecurityCenter/DisableVirusUI</li>
+<li>WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</li>
+<li>WindowsDefenderSecurityCenter/Email</li>
+<li>WindowsDefenderSecurityCenter/EnableCustomizedToasts</li>
+<li>WindowsDefenderSecurityCenter/EnableInAppCustomization</li>
+<li>WindowsDefenderSecurityCenter/Phone</li>
+<li>WindowsDefenderSecurityCenter/URL</li>
+</ul>
+<p>Experience/AllowFindMyDevice - updated the description to include active digitizers.</p>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)</td>
+<td style="vertical-align:top">Added the following statement to [MSI/ProductID/DownloadInstall](enterprisedesktopappmanagement-csp.md#msi-productid-downloadinstall):
+<ul>
+<li>In Windows 10, version 1703 service release, a new tag "DownloadFromAad" was added to the "Enforcement" section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.</li>
+</ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)</td>
+<td style="vertical-align:top">Added the following information about the settings pages in AssigneAccessXML:
+<ul>
+<li>Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.</li>
+<li>In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
+<ul>
+<li>DeviceStatus/DomainName</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
+<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
+<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
+<ul>
+</td></tr>
+<tr class="even">
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
+<ul>
+<li>Added Configuration node</li>
+</ul>
+</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[SurfaceHub CSP](surfacehub-csp.md)</td>
+<td style="vertical-align:top"><p>Changed PasswordRotationPeriod to PasswordRotationEnabled.</p>
+</td></tr>
+</tbody>
+</table>
+
 ### June 2017
 
 <table>
@@ -1241,6 +1509,14 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 <li>Power/HibernateTimeoutPluggedIn</li>
 <li>Power/StandbyTimeoutOnBattery</li>
 <li>Power/StandbyTimeoutPluggedIn</li>
+<li>Defender/AttackSurfaceReductionOnlyExclusions</li>
+<li>Defender/AttackSurfaceReductionRules</li>
+<li>Defender/CloudBlockLevel </li>
+<li>Defender/CloudExtendedTimeout</li>
+<li>Defender/EnableGuardMyFolders</li>
+<li>Defender/EnableNetworkProtection</li>
+<li>Defender/GuardedFoldersAllowedApplications</li>
+<li>Defender/GuardedFoldersList</li>
 <li>Update/ScheduledInstallEveryWeek</li>
 <li>Update/ScheduledInstallFirstWeek</li>
 <li>Update/ScheduledInstallFourthWeek</li>
@@ -1258,9 +1534,17 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
 </ul>
 </td></tr>
 <tr class="even">
+<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
+</tr>
+<tr class="odd">
 <td style="vertical-align:top">[DynamicManagement CSP](dynamicmanagement-csp.md)</td>
 <td style="vertical-align:top">The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
 </tr>
+<tr class="even">
+<td style="vertical-align:top">[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)</td>
+<td style="vertical-align:top">In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
+</tr>
 </tbody>
 </table>
 
@@ -2408,10 +2692,16 @@ No. Only one MDM is allowed.
 5.  Set quota to unlimited.
 
     ![aad maximum joined devices](images/faq-max-devices.png)
-
  
 
- 
+<a href="" id="dwmapppushsvc "></a>**What is dmwappushsvc?**  
+
+Entry | Description   
+--------------- | --------------------  
+What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. |
+How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to do this. |
+
 
 
 
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 44bf627310..8887d570cb 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/28/2017
+ms.date: 08/04/2017
 ---
 
 # Policy CSP
@@ -77,7 +77,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md).
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
 
 > [!NOTE]
 > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@@ -87,12 +87,12 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file. 
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. 
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname-policy"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
@@ -102,7 +102,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add and Get. Does not support Delete.
 
 <a href="" id="policy-configoperations-admxinstall-appname-preference"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 
@@ -114,21107 +114,3178 @@ The following diagram shows the Policy configuration service provider in tree fo
 > [!Note]  
 > The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.
 
-<!--StartPolicies-->
-<hr/>
-
-## Policies  
-
-<!--StartPolicy-->
-<a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Specifies whether to allow Action Center notifications above the device lock screen.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow toast notifications above the device lock screen.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether user is allowed to add non-MSA email accounts.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-> [!NOTE]
-> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disabled.
--   1 (default) – Manual start.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies a list of the domains that are allowed to sync email on the device.
-
-<p style="margin-left: 20px">The data type is a string.
-
-<p style="margin-left: 20px">The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**  
-
-<!--StartDescription-->
-This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
-
-If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
-
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
-
-Note: Wild card characters cannot be used when specifying the host URLs.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Approved Installation Sites for ActiveX Controls*
--   GP name: *ApprovedActiveXInstallSites*
--   GP path: *Windows Components/ActiveX Installer Service*
--   GP ADMX file name: *ActiveXInstallService.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowappvclient"></a>**AppVirtualization/AllowAppVClient**  
-
-<!--StartDescription-->
-This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable App-V Client*
--   GP name: *EnableAppV*
--   GP path: *System/App-V*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowdynamicvirtualization"></a>**AppVirtualization/AllowDynamicVirtualization**  
-
-<!--StartDescription-->
-Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable Dynamic Virtualization*
--   GP name: *Virtualization_JITVEnable*
--   GP path: *System/App-V/Virtualization*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowpackagecleanup"></a>**AppVirtualization/AllowPackageCleanup**  
-
-<!--StartDescription-->
-Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable automatic cleanup of unused appv packages*
--   GP name: *PackageManagement_AutoCleanupEnable*
--   GP path: *System/App-V/Package Management*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowpackagescripts"></a>**AppVirtualization/AllowPackageScripts**  
-
-<!--StartDescription-->
-Enables scripts defined in the package manifest of configuration files that should run.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable Package Scripts*
--   GP name: *Scripting_Enable_Package_Scripts*
--   GP path: *System/App-V/Scripting*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowpublishingrefreshux"></a>**AppVirtualization/AllowPublishingRefreshUX**  
-
-<!--StartDescription-->
-Enables a UX to display to the user when a publishing refresh is performed on the client.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable Publishing Refresh UX*
--   GP name: *Enable_Publishing_Refresh_UX*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowreportingserver"></a>**AppVirtualization/AllowReportingServer**  
-
-<!--StartDescription-->
-Reporting Server URL: Displays the URL of reporting server.
-
-Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
-
-Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
-
-Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
-
-Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
-
-Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The  default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Reporting Server*
--   GP name: *Reporting_Server_Policy*
--   GP path: *System/App-V/Reporting*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowroamingfileexclusions"></a>**AppVirtualization/AllowRoamingFileExclusions**  
-
-<!--StartDescription-->
-Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Roaming File Exclusions*
--   GP name: *Integration_Roaming_File_Exclusions*
--   GP path: *System/App-V/Integration*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowroamingregistryexclusions"></a>**AppVirtualization/AllowRoamingRegistryExclusions**  
-
-<!--StartDescription-->
-Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Roaming Registry Exclusions*
--   GP name: *Integration_Roaming_Registry_Exclusions*
--   GP path: *System/App-V/Integration*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-allowstreamingautoload"></a>**AppVirtualization/AllowStreamingAutoload**  
-
-<!--StartDescription-->
-Specifies how new packages should be loaded automatically by App-V on a specific computer.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify what to load in background (aka AutoLoad)*
--   GP name: *Steaming_Autoload*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-clientcoexistenceallowmigrationmode"></a>**AppVirtualization/ClientCoexistenceAllowMigrationmode**  
-
-<!--StartDescription-->
-Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable Migration Mode*
--   GP name: *Client_Coexistence_Enable_Migration_mode*
--   GP path: *System/App-V/Client Coexistence*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-integrationallowrootglobal"></a>**AppVirtualization/IntegrationAllowRootGlobal**  
-
-<!--StartDescription-->
-Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Integration Root User*
--   GP name: *Integration_Root_User*
--   GP path: *System/App-V/Integration*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-integrationallowrootuser"></a>**AppVirtualization/IntegrationAllowRootUser**  
-
-<!--StartDescription-->
-Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Integration Root Global*
--   GP name: *Integration_Root_Global*
--   GP path: *System/App-V/Integration*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-publishingallowserver1"></a>**AppVirtualization/PublishingAllowServer1**  
-
-<!--StartDescription-->
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Publishing Server 1 Settings*
--   GP name: *Publishing_Server1_Policy*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-publishingallowserver2"></a>**AppVirtualization/PublishingAllowServer2**  
-
-<!--StartDescription-->
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Publishing Server 2 Settings*
--   GP name: *Publishing_Server2_Policy*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-publishingallowserver3"></a>**AppVirtualization/PublishingAllowServer3**  
-
-<!--StartDescription-->
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Publishing Server 3 Settings*
--   GP name: *Publishing_Server3_Policy*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-publishingallowserver4"></a>**AppVirtualization/PublishingAllowServer4**  
-
-<!--StartDescription-->
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Publishing Server 4 Settings*
--   GP name: *Publishing_Server4_Policy*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-publishingallowserver5"></a>**AppVirtualization/PublishingAllowServer5**  
-
-<!--StartDescription-->
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Publishing Server 5 Settings*
--   GP name: *Publishing_Server5_Policy*
--   GP path: *System/App-V/Publishing*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowcertificatefilterforclient_ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**  
-
-<!--StartDescription-->
-Specifies the path to a valid certificate in the certificate store.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Certificate Filter For Client SSL*
--   GP name: *Streaming_Certificate_Filter_For_Client_SSL*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowhighcostlaunch"></a>**AppVirtualization/StreamingAllowHighCostLaunch**  
-
-<!--StartDescription-->
-This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
--   GP name: *Streaming_Allow_High_Cost_Launch*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowlocationprovider"></a>**AppVirtualization/StreamingAllowLocationProvider**  
-
-<!--StartDescription-->
-Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Location Provider*
--   GP name: *Streaming_Location_Provider*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowpackageinstallationroot"></a>**AppVirtualization/StreamingAllowPackageInstallationRoot**  
-
-<!--StartDescription-->
-Specifies directory where all new applications and updates will be installed.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Package Installation Root*
--   GP name: *Streaming_Package_Installation_Root*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowpackagesourceroot"></a>**AppVirtualization/StreamingAllowPackageSourceRoot**  
-
-<!--StartDescription-->
-Overrides source location for downloading package content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Package Source Root*
--   GP name: *Streaming_Package_Source_Root*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowreestablishmentinterval"></a>**AppVirtualization/StreamingAllowReestablishmentInterval**  
-
-<!--StartDescription-->
-Specifies the number of seconds between attempts to reestablish a dropped session.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Reestablishment Interval*
--   GP name: *Streaming_Reestablishment_Interval*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingallowreestablishmentretries"></a>**AppVirtualization/StreamingAllowReestablishmentRetries**  
-
-<!--StartDescription-->
-Specifies the number of times to retry a dropped session.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Reestablishment Retries*
--   GP name: *Streaming_Reestablishment_Retries*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingsharedcontentstoremode"></a>**AppVirtualization/StreamingSharedContentStoreMode**  
-
-<!--StartDescription-->
-Specifies that streamed package contents will be not be saved to the local hard disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Shared Content Store (SCS) mode*
--   GP name: *Streaming_Shared_Content_Store_Mode*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingsupportbranchcache"></a>**AppVirtualization/StreamingSupportBranchCache**  
-
-<!--StartDescription-->
-If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable Support for BranchCache*
--   GP name: *Streaming_Support_Branch_Cache*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-streamingverifycertificaterevocationlist"></a>**AppVirtualization/StreamingVerifyCertificateRevocationList**  
-
-<!--StartDescription-->
-Verifies Server certificate revocation status before streaming using HTTPS.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Verify certificate revocation list*
--   GP name: *Streaming_Verify_Certificate_Revocation_List*
--   GP path: *System/App-V/Streaming*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="appvirtualization-virtualcomponentsallowlist"></a>**AppVirtualization/VirtualComponentsAllowList**  
-
-<!--StartDescription-->
-Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Virtual Component Process Allow List*
--   GP name: *Virtualization_JITVAllowList*
--   GP path: *System/App-V/Virtualization*
--   GP ADMX file name: *appv.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationdefaults-defaultassociationsconfiguration"></a>**ApplicationDefaults/DefaultAssociationsConfiguration**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be  base64 encoded before being added to SyncML.
- 
-<p style="margin-left: 20px">If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
-
-<p style="margin-left: 20px">To create create the SyncML, follow these steps:
-<ol>
-<li>Install a few apps and change your defaults.</li>
-<li>From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"</li>
-<li>Take the XML output and put it through your favorite base64 encoder app.</li>
-<li>Paste the base64 encoded XML into the SyncML</li>
-</ol>
-
-<p style="margin-left: 20px">Here is an example output from the dism default association export command:
-
-``` syntax
-<?xml version="1.0" encoding="UTF-8"?>
-<DefaultAssociations>
-  <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
-  <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
-  <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
-  <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
-  <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
-</DefaultAssociations
-```
-
-<p style="margin-left: 20px">Here is the base64 encoded result:
-
-``` syntax
-PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-```
-
-<p style="margin-left: 20px">Here is the SyncMl example:
-
-``` syntax
-<?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
-<SyncBody>
-    <Replace>
-      <CmdID>101</CmdID>
-      <Item>
-        <Meta>
-          <Format>chr</Format>
-          <Type>text/plain</Type>
-        </Meta>
-        <Target>
-          <LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
-        </Target>
-        <Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-</Data>
-      </Item>
-    </Replace>
-  <Final/>
-  </SyncBody>
-</SyncML>
-```
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowalltrustedapps"></a>**ApplicationManagement/AllowAllTrustedApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether non Windows Store apps are allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Explicit deny.
--   1 – Explicit allow unlock.
--   65535 (default) – Not configured.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowappstoreautoupdate"></a>**ApplicationManagement/AllowAppStoreAutoUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether automatic update of apps from Windows Store are allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether developer unlock is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Explicit deny.
--   1 – Explicit allow unlock.
--   65535 (default) – Not configured.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowgamedvr"></a>**ApplicationManagement/AllowGameDVR**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Specifies whether DVR and broadcasting is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowshareduserappdata"></a>**ApplicationManagement/AllowSharedUserAppData**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether multiple users of the same app can share data.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether app store is allowed at the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
- 
-<p style="margin-left: 20px">An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
-
-> [!NOTE]
-> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
->
-> Here's additional guidance for the upgrade process:
->
->  -   Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
->  -   Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows  Phone 8.1 publisher if you are using it.
->  -   In the SyncML, you must use lowercase product ID.
->  -   Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
->  -   You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
-
-
-<p style="margin-left: 20px">An application that is running may not be immediately terminated.
-
-<p style="margin-left: 20px">Value type is chr.
-
-<p style="margin-left: 20px">Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Enable launch of apps.
--   1 – Disable launch of apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> -   **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
-> -   **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Allow both public and Private store.
--   1 – Only Private store is enabled.
-
-<p style="margin-left: 20px">This is a per user policy.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-restrictappdatatosystemvolume"></a>**ApplicationManagement/RestrictAppDataToSystemVolume**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether application data is restricted to the system drive.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not restricted.
--   1 – Restricted.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="applicationmanagement-restrictapptosystemvolume"></a>**ApplicationManagement/RestrictAppToSystemVolume**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether the installation of applications is restricted to the system drive.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not restricted.
--   1 – Restricted.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
-
-If you enable this policy setting, Windows does not mark file attachments with their zone information.
-
-If you disable this policy setting, Windows marks file attachments with their zone information.
-
-If you do not configure this policy setting, Windows marks file attachments with their zone information.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not preserve zone information in file attachments*
--   GP name: *AM_MarkZoneOnSavedAtttachments*
--   GP path: *Windows Components/Attachment Manager*
--   GP ADMX file name: *AttachmentManager.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="attachmentmanager-hidezoneinfomechanism"></a>**AttachmentManager/HideZoneInfoMechanism**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
-
-If you enable this policy setting, Windows hides the check box and Unblock button.
-
-If you disable this policy setting, Windows shows the check box and Unblock button.
-
-If you do not configure this policy setting, Windows hides the check box and Unblock button.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Hide mechanisms to remove zone information*
--   GP name: *AM_RemoveZoneInfo*
--   GP path: *Windows Components/Attachment Manager*
--   GP ADMX file name: *AttachmentManager.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="attachmentmanager-notifyantivirusprograms"></a>**AttachmentManager/NotifyAntivirusPrograms**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
-
-If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
-
-If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
-If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Notify antivirus programs when opening attachments*
--   GP name: *AM_CallIOfficeAntiVirus*
--   GP path: *Windows Components/Attachment Manager*
--   GP ADMX file name: *AttachmentManager.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> -   **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
-> -   **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="authentication-allowfastreconnect"></a>**Authentication/AllowFastReconnect**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="authentication-allowsecondaryauthenticationdevice"></a>**Authentication/AllowSecondaryAuthenticationDevice**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**  
-
-<!--StartDescription-->
-This policy setting disallows AutoPlay for MTP devices like cameras or phones.
-
-If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
-
-If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disallow Autoplay for non-volume devices*
--   GP name: *NoAutoplayfornonVolume*
--   GP path: *Windows Components/AutoPlay Policies*
--   GP ADMX file name: *AutoPlay.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="autoplay-setdefaultautorunbehavior"></a>**Autoplay/SetDefaultAutoRunBehavior**  
-
-<!--StartDescription-->
-This policy setting sets the default behavior for Autorun commands.
-
-Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
-
-Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
-
-This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
-
-If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
-
-a) Completely disable autorun commands, or
-b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
-
-If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Set the default behavior for AutoRun*
--   GP name: *NoAutorun*
--   GP path: *Windows Components/AutoPlay Policies*
--   GP ADMX file name: *AutoPlay.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="autoplay-turnoffautoplay"></a>**Autoplay/TurnOffAutoPlay**  
-
-<!--StartDescription-->
-This policy setting allows you to turn off the Autoplay feature.
-
-Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
-
-Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
-
-Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
-
-If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
-
-This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
-
-If you disable or do not configure this policy setting, AutoPlay is enabled.
-
-Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off Autoplay*
--   GP name: *Autorun*
--   GP path: *Windows Components/AutoPlay Policies*
--   GP ADMX file name: *AutoPlay.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bitlocker-encryptionmethod"></a>**Bitlocker/EncryptionMethod**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.
-
-> [!NOTE]
-> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   3 - AES-CBC 128-bit
--   4 - AES-CBC 256-bit
--   6 - XTS-AES 128-bit (Desktop only)
--   7 - XTS-AES 256-bit (Desktop only)
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bluetooth-allowadvertising"></a>**Bluetooth/AllowAdvertising**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether the device can send out Bluetooth advertisements.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
--   1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
-
-<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bluetooth-allowdiscoverablemode"></a>**Bluetooth/AllowDiscoverableMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether other Bluetooth-enabled devices can discover the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
--   1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
-
-<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bluetooth-allowprepairing"></a>**Bluetooth/AllowPrepairing**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default)– Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Sets the local Bluetooth device name.
-
-<p style="margin-left: 20px">If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
-
-<p style="margin-left: 20px">If this policy is not set or it is deleted, the default local radio name is used.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="bluetooth-servicesallowedlist"></a>**Bluetooth/ServicesAllowedList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
-
-<p style="margin-left: 20px">The default value is an empty string.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowaddressbardropdown"></a>**Browser/AllowAddressBarDropdown**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
-
-> [!NOTE]
-> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type." 
--   1 (default) – Allowed. Address bar drop-down is enabled.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowautofill"></a>**Browser/AllowAutofill**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether autofill on websites is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">To verify AllowAutofill is set to 0 (not allowed):
-
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Save form entries** is greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowbrowser"></a>**Browser/AllowBrowser**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
-
-<p style="margin-left: 20px">Specifies whether the browser is allowed on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowcookies"></a>**Browser/AllowCookies**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether cookies are allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">To verify AllowCookies is set to 0 (not allowed):
-
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Cookies** is greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowdevelopertools"></a>**Browser/AllowDeveloperTools**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowdonottrack"></a>**Browser/AllowDoNotTrack**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether Do Not Track headers are allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<p style="margin-left: 20px">To verify AllowDoNotTrack is set to 0 (not allowed):
-
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Send Do Not Track requests** is greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowextensions"></a>**Browser/AllowExtensions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowflash"></a>**Browser/AllowFlash**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowflashclicktorun"></a>**Browser/AllowFlashClickToRun**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
--   1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowinprivate"></a>**Browser/AllowInPrivate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether InPrivate browsing is allowed on corporate networks.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowmicrosoftcompatibilitylist"></a>**Browser/AllowMicrosoftCompatibilityList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. 
-By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". 
-
-<p style="margin-left: 20px">If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not enabled.
--   1 (default) – Enabled.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowpasswordmanager"></a>**Browser/AllowPasswordManager**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether saving and managing passwords locally on the device is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">To verify AllowPasswordManager is set to 0 (not allowed):
-
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowpopups"></a>**Browser/AllowPopups**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether pop-up blocker is allowed or enabled.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
--   1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<p style="margin-left: 20px">To verify AllowPopups is set to 0 (not allowed):
-
-1.  Open Microsoft Edge.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Block pop-ups** is greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowsearchenginecustomization"></a>**Browser/AllowSearchEngineCustomization**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. 
-  
-<p style="margin-left: 20px">If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). 
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowsearchsuggestionsinaddressbar"></a>**Browser/AllowSearchSuggestionsinAddressBar**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether search suggestions are allowed in the address bar.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-allowsmartscreen"></a>**Browser/AllowSmartScreen**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether Windows Defender SmartScreen is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<p style="margin-left: 20px">To verify AllowSmartScreen is set to 0 (not allowed):
-
-1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2.  In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-clearbrowsingdataonexit"></a>**Browser/ClearBrowsingDataOnExit**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
--   1 – Browsing data is cleared on exit.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<p style="margin-left: 20px">To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): 
-
-1.  Open Microsoft Edge and browse to websites.
-2.  Close the Microsoft Edge window.
-3.  Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-configureadditionalsearchengines"></a>**Browser/ConfigureAdditionalSearchEngines**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. 
- 
-<p style="margin-left: 20px">If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
-Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine. 
-
-<p style="margin-left: 20px">If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
- 
-> [!IMPORTANT]
-> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. 
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Additional search engines are not allowed.
--   1 – Additional search engines are allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-disablelockdownofstartpages"></a>**Browser/DisableLockdownOfStartPages**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. 
-  
-> [!NOTE]
-> This policy has no effect when the Browser/HomePages policy is not configured. 
- 
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages. 
--   1  – Disable lockdown of the Start pages and allow users to modify them.  
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-enterprisemodesitelist"></a>**Browser/EnterpriseModeSiteList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
- 
-<p style="margin-left: 20px">Allows the user to specify an URL of an enterprise site list.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   Not configured. The device checks for updates from Microsoft Update.
--   Set to a URL location of the enterprise site list.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-enterprisesitelistserviceurl"></a>**Browser/EnterpriseSiteListServiceUrl**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!IMPORTANT]
-> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-firstrunurl"></a>**Browser/FirstRunURL**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
-
-<p style="margin-left: 20px">The data type is a string.
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-homepages"></a>**Browser/HomePages**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-<p style="margin-left: 20px">Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **&lt;** and **&gt;**. For example, "&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;"
-
-<p style="margin-left: 20px">Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
-
-<p style="margin-left: 20px">Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "&lt;about:blank&gt;" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL. 
-
-> [!NOTE]
-> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventaccesstoaboutflagsinmicrosoftedge"></a>**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Users can access the about:flags page in Microsoft Edge.
--   1 – Users can't access the about:flags page in Microsoft Edge.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventfirstrunpage"></a>**Browser/PreventFirstRunPage**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Employees see the First Run webpage. 
--   1 – Employees don't see the First Run webpage.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventlivetiledatacollection"></a>**Browser/PreventLiveTileDataCollection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
--   1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventsmartscreenpromptoverride"></a>**Browser/PreventSmartScreenPromptOverride**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Off.
--   1 – On.
-
-<p style="margin-left: 20px">Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventsmartscreenpromptoverrideforfiles"></a>**Browser/PreventSmartScreenPromptOverrideForFiles**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Off.
--   1 – On.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-preventusinglocalhostipaddressforwebrtc"></a>**Browser/PreventUsingLocalHostIPAddressForWebRTC**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an <p style="margin-left: 20px">user’s localhost IP address while making phone calls using WebRTC.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – The localhost IP address is shown.
--   1 – The localhost IP address is hidden.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies whether to send intranet traffic over to Internet Explorer.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Intranet traffic is sent to Internet Explorer.
--   1 – Intranet traffic is sent to Microsoft Edge.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-setdefaultsearchengine"></a>**Browser/SetDefaultSearchEngine**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
-
-<p style="margin-left: 20px">You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING. 
- 
-<p style="margin-left: 20px">If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.   
- 
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) - The default search engine is set to the one specified in App settings.
--   1 - Allows you to configure the default search engine for your employees.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-showmessagewhenopeningsitesininternetexplorer"></a>**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Interstitial pages are not shown.
--   1 – Interstitial pages are shown.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
-
-> [!NOTE]  
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.  
->
-> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Synchronization is off.
--   1 – Synchronization is on.
-
-<p style="margin-left: 20px">To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
-
-<ol>
-<li>Open Internet Explorer and add some favorites.
-<li>Open Microsoft Edge, then select Hub > Favorites.
-<li>Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
-</ol>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Disables or enables the camera.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the user to enable Bluetooth or restrict access.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
--   1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
-> [!NOTE]
->  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
-
--   2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
-<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 2 (Allow) is used.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowcellulardata"></a>**Connectivity/AllowCellularData**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
--   1 (default) – Allow the cellular data channel. The user can turn it off.
--   2 - Allow the cellular data channel. The user cannot turn it off.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
--   1 (default) – Allow cellular data roaming.
--   2 - Allow cellular data roaming on. The user cannot turn it off.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-
-<p style="margin-left: 20px">To validate on mobile devices, do the following:
-
-1.  Go to Cellular & SIM.
-2.  Click on the SIM (next to the signal strength icon) and select **Properties**.
-3.  On the Properties page, select **Data roaming options**.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowconnecteddevices"></a>**Connectivity/AllowConnectedDevices**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   1 (default) - Allow (CDP service available).
--   0 - Disable (CDP service not available).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows near field communication (NFC) on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Do not allow NFC capabilities.
--   1 (default) – Allow NFC capabilities.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
-
-<p style="margin-left: 20px">Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies what type of underlying connections VPN is allowed to use.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – VPN is not allowed over cellular.
--   1 (default) – VPN can use any connection, including cellular.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Prevents the device from connecting to VPN when the device roams over cellular networks.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**  
-
-<!--StartDescription-->
-This policy setting configures secure access to UNC paths.
-
-If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Hardened UNC Paths*
--   GP name: *Pol_HardenedPaths*
--   GP path: *Network/Network Provider*
--   GP ADMX file name: *networkprovider.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**  
-
-<!--StartDescription-->
-This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
-
-If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
-
-If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
-
-Note: The user's domain password will be cached in the system vault when using this feature.
-
-To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on convenience PIN sign-in*
--   GP name: *AllowDomainPINLogon*
--   GP path: *System/Logon*
--   GP ADMX file name: *credentialproviders.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword**  
-
-<!--StartDescription-->
-This policy setting allows you to control whether a domain user can sign in using a picture password.
-
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
-
-If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
-
-Note that the user's domain password will be cached in the system vault when using this feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off picture password sign-in*
--   GP name: *BlockDomainPicturePassword*
--   GP path: *System/Logon*
--   GP ADMX file name: *credentialproviders.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
-
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
-
-Default value is 0.  
-
-<!--EndDescription-->
-<!--EndPolicy--> 
-<!--StartPolicy-->
-<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**  
-
-<!--StartDescription-->
-This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
-
-If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
-
-If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
-
-By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
-
-The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not display the password reveal button*
--   GP name: *DisablePasswordReveal*
--   GP path: *Windows Components/Credential User Interface*
--   GP ADMX file name: *credui.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators**  
-
-<!--StartDescription-->
-This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
-
-If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
-
-If you disable this policy setting, users will always be required to type a user name and password to elevate.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enumerate administrator accounts on elevation*
--   GP name: *EnumerateAdministrators*
--   GP path: *Windows Components/Credential User Interface*
--   GP ADMX file name: *credui.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows or disallows the Federal Information Processing Standard (FIPS) policy.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1– Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!IMPORTANT]
-> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
- 
-<p style="margin-left: 20px">Setting used by Windows 8.1 Selective Wipe.
-
-> [!NOTE]
-> This policy is not recommended for use in Windows 10.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**  
-
-<!--StartDescription-->
-This policy setting configures the cost of 3G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active.  Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
-
-- Variable: This connection is costed on a per byte basis.
-
-If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Set 3G Cost*
--   GP name: *SetCost3G*
--   GP path: *Network/WWAN Service/WWAN Media Cost*
--   GP ADMX file name: *wwansvc.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="datausage-setcost4g"></a>**DataUsage/SetCost4G**  
-
-<!--StartDescription-->
-This policy setting configures the cost of 4G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
-
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
-
-- Variable: This connection is costed on a per byte basis.
-
-If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Set 4G Cost*
--   GP name: *SetCost4G*
--   GP path: *Network/WWAN Service/WWAN Media Cost*
--   GP ADMX file name: *wwansvc.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowarchivescanning"></a>**Defender/AllowArchiveScanning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows scanning of archives.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowbehaviormonitoring"></a>**Defender/AllowBehaviorMonitoring**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Allows or disallows Windows Defender Behavior Monitoring functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowcloudprotection"></a>**Defender/AllowCloudProtection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowemailscanning"></a>**Defender/AllowEmailScanning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows scanning of email.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowfullscanonmappednetworkdrives"></a>**Defender/AllowFullScanOnMappedNetworkDrives**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows a full scan of mapped network drives.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowfullscanremovabledrivescanning"></a>**Defender/AllowFullScanRemovableDriveScanning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows a full scan of removable drives.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowioavprotection"></a>**Defender/AllowIOAVProtection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Allows or disallows Windows Defender IOAVP Protection functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowintrusionpreventionsystem"></a>**Defender/AllowIntrusionPreventionSystem**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows Windows Defender Intrusion Prevention functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows Windows Defender On Access Protection functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowrealtimemonitoring"></a>**Defender/AllowRealtimeMonitoring**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows Windows Defender Realtime Monitoring functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowscanningnetworkfiles"></a>**Defender/AllowScanningNetworkFiles**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Allows or disallows a scanning of network files.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowscriptscanning"></a>**Defender/AllowScriptScanning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows Windows Defender Script Scanning functionality.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-allowuseruiaccess"></a>**Defender/AllowUserUIAccess**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-avgcpuloadfactor"></a>**Defender/AvgCPULoadFactor**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Represents the average CPU load factor for the Windows Defender scan (in percent).
-
-<p style="margin-left: 20px">Valid values: 0–100
-
-<p style="margin-left: 20px">The default value is 50.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-daystoretaincleanedmalware"></a>**Defender/DaysToRetainCleanedMalware**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Time period (in days) that quarantine items will be stored on the system.
-
-<p style="margin-left: 20px">Valid values: 0–90
-
-<p style="margin-left: 20px">The default value is 0, which keeps items in quarantine, and does not automatically remove them.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-excludedextensions"></a>**Defender/ExcludedExtensions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-excludedpaths"></a>**Defender/ExcludedPaths**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-excludedprocesses"></a>**Defender/ExcludedProcesses**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows an administrator to specify a list of files opened by processes to ignore during a scan.
-
-> [!IMPORTANT]
-> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
-
- 
-<p style="margin-left: 20px">Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-puaprotection"></a>**Defender/PUAProtection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
--   1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
--   2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-realtimescandirection"></a>**Defender/RealTimeScanDirection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Controls which sets of files should be monitored.
-
-> [!NOTE]
-> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Monitor all files (bi-directional).
--   1 – Monitor incoming files.
--   2 – Monitor outgoing files.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-scanparameter"></a>**Defender/ScanParameter**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Selects whether to perform a quick scan or full scan.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   1 (default) – Quick scan
--   2 – Full scan
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-schedulequickscantime"></a>**Defender/ScheduleQuickScanTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Selects the time of day that the Windows Defender quick scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
- 
-<p style="margin-left: 20px">Valid values: 0–1380
-
-<p style="margin-left: 20px">For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-<p style="margin-left: 20px">The default value is 120
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-schedulescanday"></a>**Defender/ScheduleScanDay**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Selects the day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Every day
--   1 – Monday
--   2 – Tuesday
--   3 – Wednesday
--   4 – Thursday
--   5 – Friday
--   6 – Saturday
--   7 – Sunday
--   8 – No scheduled scan
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-schedulescantime"></a>**Defender/ScheduleScanTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Selects the time of day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
-<p style="margin-left: 20px">Valid values: 0–1380.
-
-<p style="margin-left: 20px">For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-<p style="margin-left: 20px">The default value is 120.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
-
-<p style="margin-left: 20px">Valid values: 0–24.
-
-<p style="margin-left: 20px">A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
-
-<p style="margin-left: 20px">The default value is 8.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-submitsamplesconsent"></a>**Defender/SubmitSamplesConsent**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Always prompt.
--   1 (default) – Send safe samples automatically.
--   2 – Never send.
--   3 – Send all samples automatically.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="defender-threatseveritydefaultaction"></a>**Defender/ThreatSeverityDefaultAction**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
- 
-
-<p style="margin-left: 20px">Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-
-<p style="margin-left: 20px">This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
-
-<p style="margin-left: 20px">The following list shows the supported values for threat severity levels:
-
--   1 – Low severity threats
--   2 – Moderate severity threats
--   4 – High severity threats
--   5 – Severe threats
-
-<p style="margin-left: 20px">The following list shows the supported values for possible actions:
-
--   1 – Clean
--   2 – Quarantine
--   3 – Remove
--   6 – Allow
--   8 – User defined
--   10 – Block
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-doabsolutemaxcachesize"></a>**DeliveryOptimization/DOAbsoluteMaxCacheSize**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
-
-<p style="margin-left: 20px">The default value is 10.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-doallowvpnpeercaching"></a>**DeliveryOptimization/DOAllowVPNPeerCaching**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
-<p style="margin-left: 20px">The default value is 0 (FALSE).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 –HTTP only, no peering.
--   1 (default) – HTTP blended with peering behind the same NAT.
--   2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
--   3 – HTTP blended with Internet peering.
--   99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
--   100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dogroupid"></a>**DeliveryOptimization/DOGroupId**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
-
-> [!NOTE]
-> You must use a GUID as the group ID.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
-
-<p style="margin-left: 20px">The default value is 259200 seconds (3 days).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domaxcachesize"></a>**DeliveryOptimization/DOMaxCacheSize**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
- 
-<p style="margin-left: 20px">Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
-
-<p style="margin-left: 20px">The default value is 20.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
- 
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
- 
-<p style="margin-left: 20px">Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
-
-<p style="margin-left: 20px">The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
-
-<p style="margin-left: 20px">The default value is 500.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dominbatterypercentageallowedtoupload"></a>**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
-
-<p style="margin-left: 20px">The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domindisksizeallowedtopeer"></a>**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
-
-> [!NOTE]
-> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
-
-<p style="margin-left: 20px">The default value is 32 GB.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dominfilesizetocache"></a>**DeliveryOptimization/DOMinFileSizeToCache**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
-
-<p style="margin-left: 20px">The default value is 100 MB.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dominramallowedtopeer"></a>**DeliveryOptimization/DOMinRAMAllowedToPeer**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
-
-<p style="margin-left: 20px">The default value is 4 GB.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domodifycachedrive"></a>**DeliveryOptimization/DOModifyCacheDrive**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
-<p style="margin-left: 20px">By default, %SystemDrive% is used to store the cache.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-domonthlyuploaddatacap"></a>**DeliveryOptimization/DOMonthlyUploadDataCap**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
-<p style="margin-left: 20px">The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
-
-<p style="margin-left: 20px">The default value is 20.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
- 
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**  
-
-<!--StartDescription-->
-Prevents users from changing the path to their profile folders.
-
-By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
-
-If you enable this setting, users are unable to type a new location in the Target box.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prohibit User from manually redirecting Profile Folders*
--   GP name: *DisablePersonalDirChange*
--   GP path: *Desktop*
--   GP ADMX file name: *desktop.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
- 
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
-<ul>
-<li>0 (default) - disable virtualization based security</li>
-<li>1 - enable virtualization based security</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
-<ul>
-<li>1 (default) - Turns on VBS with Secure Boot. </li>
-<li>3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.</li>
-</ul>
- 
-<p style="margin-left: 20px">
-
-<!--EndDescription-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
- 
-<p style="margin-left: 20px">Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
-<ul>
-<li>0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock</li>
-<li>1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock</li>
-<li>2 - (Enabled without lock) Turns on Credential Guard without UEFI lock</li>
-
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="deviceinstallation-preventinstallationofmatchingdeviceids"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**  
-
-<!--StartDescription-->
-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
-
-If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-
-If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent installation of devices that match any of these device IDs*
--   GP name: *DeviceInstall_IDs_Deny*
--   GP path: *System/Device Installation/Device Installation Restrictions*
--   GP ADMX file name: *deviceinstallation.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**  
-
-<!--StartDescription-->
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
-
-If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-
-If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent installation of devices using drivers that match these device setup classes*
--   GP name: *DeviceInstall_Classes_Deny*
--   GP path: *System/Device Installation/Device Installation Restrictions*
--   GP ADMX file name: *deviceinstallation.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Specifies whether the user must input a PIN or password when the device resumes from an idle state.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
- 
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-> [!IMPORTANT]
-> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Alphanumeric PIN or password required.
--   1 – Numeric PIN or password required.
--   2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
-
-> [!NOTE]
-> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
->
-> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-
- 
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether device lock is enabled.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
- 
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Enabled
--   1 – Disabled
-
-> [!IMPORTANT]
-> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
->
-> -   AllowSimpleDevicePassword
-> -   MinDevicePasswordLength
-> -   AlphanumericDevicePasswordRequired
-> -   MaxDevicePasswordFailedAttempts
-> -   MaxInactivityTimeDeviceLock
-> -   MinDevicePasswordComplexCharacters
-&nbsp;
-
-> [!IMPORTANT]
-> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
->
-> -   MinDevicePasswordLength is set to 4
-> -   MinDevicePasswordComplexCharacters is set to 1
->
-> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
->
-> -   MinDevicePasswordLength
-> -   MinDevicePasswordComplexCharacters
-
-> [!Important]
-> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
-> - **DevicePasswordEnabled** is the parent policy of the following:
-> 	- AllowSimpleDevicePassword
->	- MinDevicePasswordLength
->	- AlphanumericDevicePasswordRequired
->		- MinDevicePasswordComplexCharacters 
->	- DevicePasswordExpiration
->	- DevicePasswordHistory
->   - MaxDevicePasswordFailedAttempts
->   - MaxInactivityTimeDeviceLock
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies when the password expires (in days).
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 730.
--   0 (default) - Passwords do not expire.
-
-<p style="margin-left: 20px">If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies how many passwords can be stored in the history that can’t be used.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 50.
--   0 (default)
-
-<p style="margin-left: 20px">The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
-
-<p style="margin-left: 20px">Max policy value is the most restricted.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-enforcelockscreenandlogonimage"></a>**DeviceLock/EnforceLockScreenAndLogonImage**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
-
-
-<p style="margin-left: 20px">Value type is a string, which is the full image filepath and filename.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-enforcelockscreenprovider"></a>**DeviceLock/EnforceLockScreenProvider**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for mobile devices.
-
-
-<p style="margin-left: 20px">Value type is a string, which is the AppID.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">This policy has different behaviors on the mobile device and desktop.
-
--   On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
--   On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
-
-    Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 4 &lt;= X &lt;= 16 for desktop and 0 &lt;= X &lt;= 999 for mobile devices.
--   0 (default) - The device is never wiped after an incorrect PIN or password is entered.
-
-<p style="margin-left: 20px">Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 999.
--   0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay"></a>**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 999.
--   0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
-<p style="margin-left: 20px">PIN enforces the following behavior for desktop and mobile devices:
-
--   1 - Digits only
--   2 - Digits and lowercase letters are required
--   3 - Digits, lowercase letters, and uppercase letters are required
--   4 - Digits, lowercase letters, uppercase letters, and special characters are required
-
-<p style="margin-left: 20px">The default value is 1. The following list shows the supported values and actual enforced values:
-
-<table style="margin-left: 20px">
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Account Type</th>
-<th>Supported Values</th>
-<th>Actual Enforced Values</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td style="vertical-align:top"><p>Mobile</p></td>
-<td style="vertical-align:top"><p>1,2,3,4</p></td>
-<td style="vertical-align:top"><p>Same as the value set</p></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Desktop Local Accounts</p></td>
-<td style="vertical-align:top"><p> 1,2,3</p></td>
-<td style="vertical-align:top"><p>3</p></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>Desktop Microsoft Accounts</p></td>
-<td style="vertical-align:top"><p>1,2</p></td>
-<td style="vertical-align:top"><p2</p></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Desktop Domain Accounts</p></td>
-<td style="vertical-align:top"><p>Not supported</p></td>
-<td style="vertical-align:top">Not supported</p></td>
-</tr>
-</tbody>
-</table>
-
-
-<p style="margin-left: 20px">Enforced values for Local and Microsoft Accounts:
-
--   Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
--   Passwords for local accounts must meet the following minimum requirements:
-
-    -   Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-    -   Be at least six characters in length
-    -   Contain characters from three of the following four categories:
-
-        -   English uppercase characters (A through Z)
-        -   English lowercase characters (a through z)
-        -   Base 10 digits (0 through 9)
-        -   Special characters (!, $, \#, %, etc.)
-
-<p style="margin-left: 20px">The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies the minimum number or characters required in the PIN or password.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   An integer X where 4 &lt;= X &lt;= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
--   Not enforced.
--   The default value is 4 for mobile devices and desktop devices.
-
-<p style="margin-left: 20px">Max policy value is the most restricted.
-
-<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**  
-
-<!--StartDescription-->
-Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
-
-By default, users can enable a slide show that will run after they lock the machine.
-
-If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent enabling lock screen slide show*
--   GP name: *CPL_Personalization_NoLockScreenSlideshow*
--   GP path: *Control Panel/Personalization*
--   GP ADMX file name: *ControlPanelDisplay.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="devicelock-screentimeoutwhilelocked"></a>**DeviceLock/ScreenTimeoutWhileLocked**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
- 
-<p style="margin-left: 20px">Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
-<p style="margin-left: 20px">Minimum supported value is 10.
-
-<p style="margin-left: 20px">Maximum supported value is 1800.
-
-<p style="margin-left: 20px">The default value is 10.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
-<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
-
-<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
-
-<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
-2.   Run the app and observe blurry text.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
-<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
-
-<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
-<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Configure the setting for an app which uses GDI.
-2.   Run the app and observe crisp text.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-cloudprintoauthauthority"></a>**EnterpriseCloudPrint/CloudPrintOAuthAuthority**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
-
-<p style="margin-left: 20px">The datatype is a string.
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//azuretenant.contoso.com/adfs".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-cloudprintoauthclientid"></a>**EnterpriseCloudPrint/CloudPrintOAuthClientId**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
-
-<p style="margin-left: 20px">The datatype is a string.
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-cloudprintresourceid"></a>**EnterpriseCloudPrint/CloudPrintResourceId**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
-
-<p style="margin-left: 20px">The datatype is a string. 
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MicrosoftEnterpriseCloudPrint/CloudPrint".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-cloudprinterdiscoveryendpoint"></a>**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
-
-<p style="margin-left: 20px">The datatype is a string.
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//cloudprinterdiscovery.contoso.com".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-discoverymaxprinterlimit"></a>**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
-
-<p style="margin-left: 20px">The datatype is an integer. 
-
-<p style="margin-left: 20px">For Windows Mobile, the default value is 20.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="enterprisecloudprint-mopriadiscoveryresourceid"></a>**EnterpriseCloudPrint/MopriaDiscoveryResourceId**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
-
-<p style="margin-left: 20px">The datatype is a string.
-
-<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MopriaDiscoveryService/CloudPrint".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**  
-
-<!--StartDescription-->
-This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
-
-If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
-
-- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
-
-- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
-
-- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
-
-- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
-
-- 4 (Send all data): Any data requested by Microsoft is sent automatically.
-
-If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Customize consent settings*
--   GP name: *WerConsentCustomize_2*
--   GP path: *Windows Components/Windows Error Reporting/Consent*
--   GP ADMX file name: *ErrorReporting.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="errorreporting-disablewindowserrorreporting"></a>**ErrorReporting/DisableWindowsErrorReporting**  
-
-<!--StartDescription-->
-This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
-
-If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
-
-If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disable Windows Error Reporting*
--   GP name: *WerDisable_2*
--   GP path: *Windows Components/Windows Error Reporting*
--   GP ADMX file name: *ErrorReporting.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="errorreporting-displayerrornotification"></a>**ErrorReporting/DisplayErrorNotification**  
-
-<!--StartDescription-->
-This policy setting controls whether users are shown an error dialog box that lets them report an error.
-
-If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
-
-If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
-
-If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
-
-See also the Configure Error Reporting policy setting.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Display Error Notification*
--   GP name: *PCH_ShowUI*
--   GP path: *Windows Components/Windows Error Reporting*
--   GP ADMX file name: *ErrorReporting.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="errorreporting-donotsendadditionaldata"></a>**ErrorReporting/DoNotSendAdditionalData**  
-
-<!--StartDescription-->
-This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
-
-If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
-
-If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not send additional data*
--   GP name: *WerNoSecondLevelData_2*
--   GP path: *Windows Components/Windows Error Reporting*
--   GP ADMX file name: *ErrorReporting.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="errorreporting-preventcriticalerrordisplay"></a>**ErrorReporting/PreventCriticalErrorDisplay**  
-
-<!--StartDescription-->
-This policy setting prevents the display of the user interface for critical errors.
-
-If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
-
-If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent display of the user interface for critical errors*
--   GP name: *WerDoNotShowUI*
--   GP path: *Windows Components/Windows Error Reporting*
--   GP ADMX file name: *ErrorReporting.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="eventlogservice-controleventlogbehavior"></a>**EventLogService/ControlEventLogBehavior**  
-
-<!--StartDescription-->
-This policy setting controls Event Log behavior when the log file reaches its maximum size.
-
-If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
-
-If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Control Event Log behavior when the log file reaches its maximum size*
--   GP name: *Channel_Log_Retention_1*
--   GP path: *Windows Components/Event Log Service/Application*
--   GP ADMX file name: *eventlog.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="eventlogservice-specifymaximumfilesizeapplicationlog"></a>**EventLogService/SpecifyMaximumFileSizeApplicationLog**  
-
-<!--StartDescription-->
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
--   GP name: *Channel_LogMaxSize_1*
--   GP path: *Windows Components/Event Log Service/Application*
--   GP ADMX file name: *eventlog.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="eventlogservice-specifymaximumfilesizesecuritylog"></a>**EventLogService/SpecifyMaximumFileSizeSecurityLog**  
-
-<!--StartDescription-->
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
--   GP name: *Channel_LogMaxSize_2*
--   GP path: *Windows Components/Event Log Service/Security*
--   GP ADMX file name: *eventlog.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="eventlogservice-specifymaximumfilesizesystemlog"></a>**EventLogService/SpecifyMaximumFileSizeSystemLog**  
-
-<!--StartDescription-->
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the maximum log file size (KB)*
--   GP name: *Channel_LogMaxSize_4*
--   GP path: *Windows Components/Event Log Service/System*
--   GP ADMX file name: *eventlog.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Specifies whether copy and paste is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">Benefit to the customer:
-
-<p style="margin-left: 20px">Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
-
-<p style="margin-left: 20px">Sample scenario:
-
-<p style="margin-left: 20px">An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows users to turn on/off device discovery UX.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow the user to delete the workplace account using the workplace control panel.
-
-> [!NOTE]
-> The MDM server can always remotely delete the account.
-
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies whether to display dialog prompt when no SIM card is detected.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – SIM card dialog prompt is not displayed.
--   1 (default) – SIM card dialog prompt is displayed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies whether screen capture is allowed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Sync settings is not allowed.
--   1 (default) – Sync settings allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
-
-<p style="margin-left: 20px">Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
-
-> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows or disallows task switching on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Task switching not allowed.
--   1 (default) – Task switching allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
-
-<p style="margin-left: 20px">Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Third-party suggestions not allowed.
--   1 (default) – Third-party suggestions allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies whether voice recording is allowed for apps.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> -   **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
-> -   **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
-
- 
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
-
-<p style="margin-left: 20px">Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. 
-The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-Enables or disables Windows Tips / soft landing.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disabled.
--   1 (default) – Enabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
-
-<p style="margin-left: 20px">Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – None.
--   1 (default) – Windows spotlight enabled.
--   2 – placeholder only for future extension. Using this value has no effect.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Prevents devices from showing feedback questions from Microsoft.
-
-<p style="margin-left: 20px">If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
--   1 – Feedback notifications are disabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Placeholder only. Currently not supported.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-addsearchprovider"></a>**InternetExplorer/AddSearchProvider**  
-
-<!--StartDescription-->
-This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
-
-If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
-
-If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Add a specific list of search providers to the user's list of search providers*
--   GP name: *AddSearchProvider*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowactivexfiltering"></a>**InternetExplorer/AllowActiveXFiltering**  
-
-<!--StartDescription-->
-This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
-
-If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
-
-If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on ActiveX Filtering*
--   GP name: *TurnOnActiveXFiltering*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowaddonlist"></a>**InternetExplorer/AllowAddOnList**  
-
-<!--StartDescription-->
-This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
-
-This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
-
-If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list.  The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
-
-Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
-
-If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Add-on List*
--   GP name: *AddonManagement_AddOnList*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowenhancedprotectedmode"></a>**InternetExplorer/AllowEnhancedProtectedMode**  
-
-<!--StartDescription-->
-Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
-
-If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
-
-If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
-
-If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on Enhanced Protected Mode*
--   GP name: *Advanced_EnableEnhancedProtectedMode*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowenterprisemodefromtoolsmenu"></a>**InternetExplorer/AllowEnterpriseModeFromToolsMenu**  
-
-<!--StartDescription-->
-This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
-
-If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
-
-If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
--   GP name: *EnterpriseModeEnable*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowenterprisemodesitelist"></a>**InternetExplorer/AllowEnterpriseModeSiteList**  
-
-<!--StartDescription-->
-This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
-
-If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
-
-If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Use the Enterprise Mode IE website list*
--   GP name: *EnterpriseModeSiteList*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowinternetexplorer7policylist "></a>**InternetExplorer/AllowInternetExplorer7PolicyList **  
-
-<!--StartDescription-->
-This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
-
-If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
-
-If you disable or do not configure this policy setting, the user can add and remove sites from the list.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Use Policy List of Internet Explorer 7 sites*
--   GP name: *CompatView_UsePolicyList*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowinternetexplorerstandardsmode"></a>**InternetExplorer/AllowInternetExplorerStandardsMode**  
-
-<!--StartDescription-->
-This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
-
-If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
-
-If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
-
-If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
--   GP name: *CompatView_IntranetSites*
--   GP path: *Windows Components/Internet Explorer/Compatibility View*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowinternetzonetemplate"></a>**InternetExplorer/AllowInternetZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Internet Zone Template*
--   GP name: *IZ_PolicyInternetZoneTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowintranetzonetemplate"></a>**InternetExplorer/AllowIntranetZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Intranet Zone Template*
--   GP name: *IZ_PolicyIntranetZoneTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowlocalmachinezonetemplate"></a>**InternetExplorer/AllowLocalMachineZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Local Machine Zone Template*
--   GP name: *IZ_PolicyLocalMachineZoneTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowlockeddowninternetzonetemplate"></a>**InternetExplorer/AllowLockedDownInternetZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Locked-Down Internet Zone Template*
--   GP name: *IZ_PolicyInternetZoneLockdownTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowlockeddownintranetzonetemplate"></a>**InternetExplorer/AllowLockedDownIntranetZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Locked-Down Intranet Zone Template*
--   GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowlockeddownlocalmachinezonetemplate"></a>**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Locked-Down Local Machine Zone Template*
--   GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowlockeddownrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Locked-Down Restricted Sites Zone Template*
--   GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowonewordentry"></a>**InternetExplorer/AllowOneWordEntry**  
-
-<!--StartDescription-->
-This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
-
-If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
-
-If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Go to an intranet site for a one-word entry in the Address bar*
--   GP name: *UseIntranetSiteForOneWordEntry*
--   GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowsitetozoneassignmentlist"></a>**InternetExplorer/AllowSiteToZoneAssignmentList**  
-
-<!--StartDescription-->
-This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
-
-Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-
-Valuename  A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
-
-Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
-
-If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Site to Zone Assignment List*
--   GP name: *IZ_Zonemaps*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowsuggestedsites"></a>**InternetExplorer/AllowSuggestedSites**  
-
-<!--StartDescription-->
-This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
-
-If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
-
-If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
-
-If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on Suggested Sites*
--   GP name: *EnableSuggestedSites*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowtrustedsiteszonetemplate"></a>**InternetExplorer/AllowTrustedSitesZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Trusted Sites Zone Template*
--   GP name: *IZ_PolicyTrustedSitesZoneTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowslockeddowntrustedsiteszonetemplate"></a>**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Locked-Down Trusted Sites Zone Template*
--   GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-allowsrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowsRestrictedSitesZoneTemplate**  
-
-<!--StartDescription-->
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Restricted Sites Zone Template*
--   GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableadobeflash"></a>**InternetExplorer/DisableAdobeFlash**  
-
-<!--StartDescription-->
-This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
-
-If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
-
-If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
-
-Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
--   GP name: *DisableFlashInIE*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablebypassofsmartscreenwarnings"></a>**InternetExplorer/DisableBypassOfSmartScreenWarnings**  
-
-<!--StartDescription-->
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
-
-If you enable this policy setting, SmartScreen Filter warnings block the user.
-
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent bypassing SmartScreen Filter warnings*
--   GP name: *DisableSafetyFilterOverride*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles"></a>**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**  
-
-<!--StartDescription-->
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
-
-If you enable this policy setting, SmartScreen Filter warnings block the user.
-
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
--   GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation"></a>**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**  
-
-<!--StartDescription-->
-This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
-
-If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
-
-If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
-
-If you do not configure this policy setting, the user can choose to participate in the CEIP.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent participation in the Customer Experience Improvement Program*
--   GP name: *SQM_DisableCEIP*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableenclosuredownloading"></a>**InternetExplorer/DisableEnclosureDownloading**  
-
-<!--StartDescription-->
-This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
-
-If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
-
-If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent downloading of enclosures*
--   GP name: *Disable_Downloading_of_Enclosures*
--   GP path: *Windows Components/RSS Feeds*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableencryptionsupport"></a>**InternetExplorer/DisableEncryptionSupport**  
-
-<!--StartDescription-->
-This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
-
-If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
-
-If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
-
-Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off encryption support*
--   GP name: *Advanced_SetWinInetProtocols*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablefirstrunwizard"></a>**InternetExplorer/DisableFirstRunWizard**  
-
-<!--StartDescription-->
-This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
-
-If you enable this policy setting, you must make one of the following choices:
-Skip the First Run wizard, and go directly to the user's home page.
-Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
-
-Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
-
-If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent running First Run wizard*
--   GP name: *NoFirstRunCustomise*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableflipaheadfeature"></a>**InternetExplorer/DisableFlipAheadFeature**  
-
-<!--StartDescription-->
-This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
-
-Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
-
-If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
-
-If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
-
-If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off the flip ahead with page prediction feature*
--   GP name: *Advanced_DisableFlipAhead*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablehomepagechange"></a>**InternetExplorer/DisableHomePageChange**  
-
-<!--StartDescription-->
-The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
-
-If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
-
-If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disable changing home page settings*
--   GP name: *RestrictHomePage*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableproxychange"></a>**InternetExplorer/DisableProxyChange**  
-
-<!--StartDescription-->
-This policy setting specifies if a user can change proxy settings.
-
-If you enable this policy setting, the user will not be able to configure proxy settings.
-
-If you disable or do not configure this policy setting, the user can configure proxy settings.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent changing proxy settings*
--   GP name: *RestrictProxy*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablesearchproviderchange"></a>**InternetExplorer/DisableSearchProviderChange**  
-
-<!--StartDescription-->
-This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
-
-If you enable this policy setting, the user cannot change the default search provider.
-
-If you disable or do not configure this policy setting, the user can change the default search provider.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Prevent changing the default search provider*
--   GP name: *NoSearchProvider*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disablesecondaryhomepagechange"></a>**InternetExplorer/DisableSecondaryHomePageChange**  
-
-<!--StartDescription-->
-Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
-
-If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
-
-If you disable or do not configure this policy setting, the user can add secondary home pages.
-
-Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disable changing secondary home page settings*
--   GP name: *SecondaryHomePages*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-disableupdatecheck"></a>**InternetExplorer/DisableUpdateCheck**  
-
-<!--StartDescription-->
-Prevents Internet Explorer from checking whether a new version of the browser is available.
-
-If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
-
-If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.
-
-This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Disable Periodic Check for Internet Explorer software updates*
--   GP name: *NoUpdateCheck*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-donotallowuserstoaddsites"></a>**InternetExplorer/DoNotAllowUsersToAddSites**  
-
-<!--StartDescription-->
-Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
-
-If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
-
-If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.
-
-This policy prevents users from changing site management settings for security zones established by the administrator.
-
-Note:  The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
-
-Also, see the "Security zones: Use only machine settings" policy.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Security Zones: Do not allow users to add/delete sites*
--   GP name: *Security_zones_map_edit*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-donotallowuserstochangepolicies"></a>**InternetExplorer/DoNotAllowUsersToChangePolicies**  
-
-<!--StartDescription-->
-Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
-
-If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
-
-If you disable this policy or do not configure it, users can change the settings for security zones.
-
-This policy prevents users from changing security zone settings established by the administrator.
-
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
-
-Also, see the "Security zones: Use only machine settings" policy.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Security Zones: Do not allow users to change policies*
--   GP name: *Security_options_edit*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-donotblockoutdatedactivexcontrols"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControls**  
-
-<!--StartDescription-->
-This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
-
-If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
-
-If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
-
-For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
--   GP name: *VerMgmtDisable*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**  
-
-<!--StartDescription-->
-This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
-
-If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-
-1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
-2. "hostname". For example, if you want to include http://example, use "example"
-3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
-
-If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
-
-For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
--   GP name: *VerMgmtDomainAllowlist*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**  
-
-<!--StartDescription-->
-This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
-
-If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
-
-If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
-
-If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
--   GP name: *IZ_IncludeUnspecifiedLocalSites*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-includeallnetworkpaths"></a>**InternetExplorer/IncludeAllNetworkPaths**  
-
-<!--StartDescription-->
-This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
-
-If you enable this policy setting, all network paths are mapped into the Intranet Zone.
-
-If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
-
-If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Intranet Sites: Include all network paths (UNCs)*
--   GP name: *IZ_UNCAsIntranet*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowaccesstodatasources"></a>**InternetExplorer/InternetZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowfontdownloads"></a>**InternetExplorer/InternetZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowlessprivilegedsites"></a>**InternetExplorer/InternetZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowscriptlets"></a>**InternetExplorer/InternetZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowsmartscreenie"></a>**InternetExplorer/InternetZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneallowuserdatapersistence"></a>**InternetExplorer/InternetZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-internetzonenavigatewindowsandframes"></a>**InternetExplorer/InternetZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowaccesstodatasources"></a>**InternetExplorer/IntranetZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowfontdownloads"></a>**InternetExplorer/IntranetZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowlessprivilegedsites"></a>**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowscriptlets"></a>**InternetExplorer/IntranetZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowsmartscreenie"></a>**InternetExplorer/IntranetZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneallowuserdatapersistence"></a>**InternetExplorer/IntranetZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-intranetzonenavigatewindowsandframes"></a>**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowfontdownloads"></a>**InternetExplorer/LocalMachineZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowscriptlets"></a>**InternetExplorer/LocalMachineZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowsmartscreenie"></a>**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-localmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowscriptlets"></a>**InternetExplorer/LockedDownInternetZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowscriptlets"></a>**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownintranetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowfontdownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowscriptlets"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
-
-If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowscriptlets"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
-
-If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-searchproviderlist"></a>**InternetExplorer/SearchProviderList**  
-
-<!--StartDescription-->
-This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
-
-If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
-
-If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Restrict search providers to a specific list*
--   GP name: *SpecificSearchProvider*
--   GP path: *Windows Components/Internet Explorer*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Access data sources across domains*
--   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**  
-
-<!--StartDescription-->
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for ActiveX controls*
--   GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**  
-
-<!--StartDescription-->
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Automatic prompting for file downloads*
--   GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowfontdownloads"></a>**InternetExplorer/TrustedSitesZoneAllowFontDownloads**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow font downloads*
--   GP name: *IZ_PolicyFontDownload_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
--   GP name: *IZ_PolicyZoneElevationURLaction_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
--   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowscriptlets"></a>**InternetExplorer/TrustedSitesZoneAllowScriptlets**  
-
-<!--StartDescription-->
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow scriptlets*
--   GP name: *IZ_Policy_AllowScriptlets_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**  
-
-<!--StartDescription-->
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on SmartScreen Filter scan*
--   GP name: *IZ_Policy_Phishing_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Userdata persistence*
--   GP name: *IZ_PolicyUserdataPersistence_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**  
-
-<!--StartDescription-->
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Initialize and script ActiveX controls not marked as safe*
--   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="internetexplorer-trustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**  
-
-<!--StartDescription-->
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Navigate windows and frames across different domains*
--   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
--   GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
--   GP ADMX file name: *inetres.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**  
-
-<!--StartDescription-->
-This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
-
-If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
-
-If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *None*
--   GP name: *ForestSearch*
--   GP ADMX file name: *Kerberos.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**  
-
-<!--StartDescription-->
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
-
-If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
--   GP name: *EnableCbacAndArmor*
--   GP path: *System/Kerberos*
--   GP ADMX file name: *Kerberos.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
-
-<!--StartDescription-->
-This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
-
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
-
-If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Fail authentication requests when Kerberos armoring is not available*
--   GP name: *ClientRequireFast*
--   GP path: *System/Kerberos*
--   GP ADMX file name: *Kerberos.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**  
-
-<!--StartDescription-->
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
-
-If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-
-If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Require strict KDC validation*
--   GP name: *ValidateKDC*
--   GP path: *System/Kerberos*
--   GP ADMX file name: *Kerberos.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**  
-
-<!--StartDescription-->
-This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
-
-If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
-
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Set maximum Kerberos SSPI context token buffer size*
--   GP name: *MaxTokenSize*
--   GP path: *System/Kerberos*
--   GP ADMX file name: *Kerberos.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disable Windows license reactivation on managed devices.
--   1 (default) – Enable Windows license reactivation on managed devices.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Disabled.
--   1 – Enabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="location-enablelocation"></a>**Location/EnableLocation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
-
-> [!IMPORTANT]
-> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Disabled.
--   1 – Enabled.
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
-2.   Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 - disallow edge swipe.
--   1 (default, not configured) - allow edge swipe.
-
-<p style="margin-left: 20px">The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="maps-allowofflinemapsdownloadovermeteredconnection"></a>**Maps/AllowOfflineMapsDownloadOverMeteredConnection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   65535 (default) – Not configured. User's choice.
--   0 – Disabled. Force disable auto-update over metered connection.
--   1 – Enabled. Force enable auto-update over metered connection.
-
-<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="maps-enableofflinemapsautoupdate"></a>**Maps/EnableOfflineMapsAutoUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Disables the automatic download and update of map data.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   65535 (default) – Not configured. User's choice.
--   0 – Disabled. Force off auto-update.
--   1 – Enabled. Force on auto-update.
-
-<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 - Disabled.
--   1 (default) - Enabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="messaging-allowmessagesync"></a>**Messaging/AllowMessageSync**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 - message sync is not allowed and cannot be changed by the user.
--   1 - message sync is allowed. The user can change this setting.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 - Disabled.
--   1 (default) - Enabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
-
-``` syntax
-10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
-192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
-2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
-2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
-fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-       
-```
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
-
-> [!NOTE]
-> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
- 
-
-<p style="margin-left: 20px">Here are the steps to create canonical domain names:
-
-1.  Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
-2.  Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
-3.  Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">List of domain names that can used for work or personal resource.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="notifications-disallownotificationmirroring"></a>**Notifications/DisallowNotificationMirroring**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> -   **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
-> -   **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
-
-
-<p style="margin-left: 20px">For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
-
-<p style="margin-left: 20px">No reboot or service restart is required for this policy to take effect.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default)– enable notification mirroring.
--   1 – disable notification mirroring.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**  
-
-<!--StartDescription-->
-This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
-
-If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
-
-If you disable this policy setting, standby states (S1-S3) are not allowed.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
--   GP name: *AllowStandbyStatesAC_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-displayofftimeoutonbattery"></a>**Power/DisplayOffTimeoutOnBattery**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off the display (on battery)*
--   GP name: *VideoPowerDownTimeOutDC_2*
--   GP path: *System/Power Management/Video and Display Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-displayofftimeoutpluggedin"></a>**Power/DisplayOffTimeoutPluggedIn**  
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off the display (plugged in)*
--   GP name: *VideoPowerDownTimeOutAC_2*
--   GP path: *System/Power Management/Video and Display Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (on battery)*
--   GP name: *DCHibernateTimeOut_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-hibernatetimeoutpluggedin"></a>**Power/HibernateTimeoutPluggedIn**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the system hibernate timeout (plugged in)*
--   GP name: *ACHibernateTimeOut_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**  
-
-<!--StartDescription-->
-This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
-
-If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
-
-If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Require a password when a computer wakes (on battery)*
--   GP name: *DCPromptForPasswordOnResume_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="power-requirepasswordwhencomputerwakespluggedin"></a>**Power/RequirePasswordWhenComputerWakesPluggedIn**  
-
-<!--StartDescription-->
-This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
-
-If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
-
-If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Require a password when a computer wakes (plugged in)*
--   GP name: *ACPromptForPasswordOnResume_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the system sleep timeout (on battery)*
--   GP name: *DCStandbyTimeOut_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="power-standbytimeoutpluggedin"></a>**Power/StandbyTimeoutPluggedIn**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
-<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
-
-<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Specify the system sleep timeout (plugged in)*
--   GP name: *ACStandbyTimeOut_2*
--   GP path: *System/Power Management/Sleep Settings*
--   GP ADMX file name: *power.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-
-<!--StartPolicy-->
-<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**  
-
-<!--StartDescription-->
-This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
-
-If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
-
-If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
-
-If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Point and Print Restrictions*
--   GP name: *PointAndPrint_Restrictions_Win7*
--   GP path: *Printers*
--   GP ADMX file name: *Printing.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="printers-pointandprintrestrictions_user"></a>**Printers/PointAndPrintRestrictions_User**  
-
-<!--StartDescription-->
-This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
-
-If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
-
-If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
-
-If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Point and Print Restrictions*
--   GP name: *PointAndPrint_Restrictions*
--   GP ADMX file name: *Printing.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**  
-
-<!--StartDescription-->
-Determines whether the computer's shared printers can be published in Active Directory.
-
-If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
-
-If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
-
-Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow printers to be published*
--   GP name: *PublishPrinters*
--   GP path: *Printers*
--   GP ADMX file name: *Printing2.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-allowautoacceptpairingandprivacyconsentprompts"></a>**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default)– Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-allowinputpersonalization"></a>**Privacy/AllowInputPersonalization**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
- 
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-disableadvertisingid"></a>**Privacy/DisableAdvertisingId**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or disables the Advertising ID.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disabled.
--   1 – Enabled.
--   65535 (default)- Not configured.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessaccountinfo"></a>**Privacy/LetAppsAccessAccountInfo**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessaccountinfo-forceallowtheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessaccountinfo-forcedenytheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessaccountinfo-userincontroloftheseapps"></a>**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscalendar"></a>**Privacy/LetAppsAccessCalendar**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscalendar-forceallowtheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscalendar-forcedenytheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscalendar-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscallhistory"></a>**Privacy/LetAppsAccessCallHistory**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscallhistory-forceallowtheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscallhistory-forcedenytheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscallhistory-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscamera"></a>**Privacy/LetAppsAccessCamera**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscamera-forceallowtheseapps"></a>**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscamera-forcedenytheseapps"></a>**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscamera-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscontacts"></a>**Privacy/LetAppsAccessContacts**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscontacts-forceallowtheseapps"></a>**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscontacts-forcedenytheseapps"></a>**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesscontacts-userincontroloftheseapps"></a>**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessemail"></a>**Privacy/LetAppsAccessEmail**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessemail-forceallowtheseapps"></a>**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessemail-forcedenytheseapps"></a>**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessemail-userincontroloftheseapps"></a>**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesslocation"></a>**Privacy/LetAppsAccessLocation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesslocation-forceallowtheseapps"></a>**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesslocation-forcedenytheseapps"></a>**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesslocation-userincontroloftheseapps"></a>**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmessaging"></a>**Privacy/LetAppsAccessMessaging**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmessaging-forceallowtheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmessaging-forcedenytheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmessaging-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmicrophone"></a>**Privacy/LetAppsAccessMicrophone**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmicrophone-forceallowtheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmicrophone-forcedenytheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmicrophone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmotion"></a>**Privacy/LetAppsAccessMotion**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmotion-forceallowtheseapps"></a>**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmotion-forcedenytheseapps"></a>**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessmotion-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessnotifications"></a>**Privacy/LetAppsAccessNotifications**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessnotifications-forceallowtheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessnotifications-forcedenytheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessnotifications-userincontroloftheseapps"></a>**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessphone"></a>**Privacy/LetAppsAccessPhone**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessphone-forceallowtheseapps"></a>**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessphone-forcedenytheseapps"></a>**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessphone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessradios"></a>**Privacy/LetAppsAccessRadios**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessradios-forceallowtheseapps"></a>**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessradios-forcedenytheseapps"></a>**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccessradios-userincontroloftheseapps"></a>**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstasks"></a>**Privacy/LetAppsAccessTasks**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstasks-forceallowtheseapps"></a>**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstasks-forcedenytheseapps"></a>**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstasks-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstrusteddevices"></a>**Privacy/LetAppsAccessTrustedDevices**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstrusteddevices-forceallowtheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstrusteddevices-forcedenytheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsaccesstrusteddevices-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsgetdiagnosticinfo"></a>**Privacy/LetAppsGetDiagnosticInfo**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsgetdiagnosticinfo-forceallowtheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsgetdiagnosticinfo-forcedenytheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsgetdiagnosticinfo-userincontroloftheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsruninbackground"></a>**Privacy/LetAppsRunInBackground**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control (default).
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-> [!WARNING]
-> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsruninbackground-forceallowtheseapps"></a>**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsruninbackground-forcedenytheseapps"></a>**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappsruninbackground-userincontroloftheseapps"></a>**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappssyncwithdevices"></a>**Privacy/LetAppsSyncWithDevices**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – User in control.
--   1 – Force allow.
--   2 - Force deny.
-
-<p style="margin-left: 20px">Most restricted value is 2.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappssyncwithdevices-forceallowtheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappssyncwithdevices-forcedenytheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="privacy-letappssyncwithdevices-userincontroloftheseapps"></a>**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**  
-
-<!--StartDescription-->
-This policy setting lets you customize warning messages.
-
-The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
-
-The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
-
-If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
-
-If you disable this policy setting, the user sees the default warning message.
-
-If you do not configure this policy setting, the user sees the default warning message.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Customize warning messages*
--   GP name: *RA_Options*
--   GP path: *System/Remote Assistance*
--   GP ADMX file name: *remoteassistance.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteassistance-sessionlogging"></a>**RemoteAssistance/SessionLogging**  
-
-<!--StartDescription-->
-This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
-
-If you enable this policy setting, log files are generated.
-
-If you disable this policy setting, log files are not generated.
-
-If you do not configure this setting, application-based settings are used.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn on session logging*
--   GP name: *RA_Logging*
--   GP path: *System/Remote Assistance*
--   GP ADMX file name: *remoteassistance.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**  
-
-<!--StartDescription-->
-This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
-
-If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
-
-If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
-
-The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
-
-The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
-
-If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Configure Solicited Remote Assistance*
--   GP name: *RA_Solicit*
--   GP path: *System/Remote Assistance*
--   GP ADMX file name: *remoteassistance.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**  
-
-<!--StartDescription-->
-This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
-
-To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
-
-<Domain Name>\<User Name> or
-
-<Domain Name>\<Group Name>
-
-If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
-
-Windows Vista and later
-
-Enable the Remote Assistance exception for the domain profile. The exception must contain:
-Port 135:TCP
-%WINDIR%\System32\msra.exe
-%WINDIR%\System32\raserver.exe
-
-Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
-
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-%WINDIR%\System32\Sessmgr.exe
-
-For computers running Windows Server 2003 with Service Pack 1 (SP1)
-
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-Allow Remote Desktop Exception
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Configure Offer Remote Assistance*
--   GP name: *RA_Unsolicit*
--   GP ADMX file name: *remoteassistance.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**  
-
-<!--StartDescription-->
-This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
-
-If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
-
-If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
-
-If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
-
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
-
-You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Allow users to connect remotely by using Remote Desktop Services*
--   GP name: *TS_DISABLE_CONNECTIONS*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**  
-
-<!--StartDescription-->
-Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
-
-If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
-
-* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
-
-* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
-
-* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
-
-If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
-
-Important
-
-FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Set client connection encryption level*
--   GP name: *TS_ENCRYPTION_POLICY*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**  
-
-<!--StartDescription-->
-This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
-
-By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.
-
-If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
-
-If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
-
-If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not allow drive redirection*
--   GP name: *TS_CLIENT_DRIVE_M*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**  
-
-<!--StartDescription-->
-Controls whether passwords can be saved on this computer from Remote Desktop Connection.
-
-If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
-
-If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not allow passwords to be saved*
--   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**  
-
-<!--StartDescription-->
-This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
-
-You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
-
-By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
-
-If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
-
-If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
-
-If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Always prompt for password upon connection*
--   GP name: *TS_PASSWORD*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**  
-
-<!--StartDescription-->
-Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
-
-You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
-
-If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
-
-If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
-
-If the status is set to Not Configured, unsecured communication is allowed.
-
-Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Require secure RPC communication*
--   GP name: *TS_RPC_ENCRYPTION*
--   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
--   GP ADMX file name: *terminalserver.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteprocedurecall-rpcendpointmapperclientauthentication"></a>**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**  
-
-<!--StartDescription-->
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information.   The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
-
-If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
-
-If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information.  Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-
-If you do not configure this policy setting, it remains disabled.  RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-
-Note: This policy will not be applied until the system is rebooted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Enable RPC Endpoint Mapper Client Authentication*
--   GP name: *RpcEnableAuthEpResolution*
--   GP path: *System/Remote Procedure Call*
--   GP ADMX file name: *rpc.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="remoteprocedurecall-restrictunauthenticatedrpcclients"></a>**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**  
-
-<!--StartDescription-->
-This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
-
-This policy setting impacts all RPC applications.  In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself.  Reverting a change to this policy setting can require manual intervention on each affected machine.  This policy setting should never be applied to a domain controller.
-
-If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-
-If you do not configure this policy setting, it remains disabled.  The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
-
-If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
-
---  "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
-
---  "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
-
---  "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied.  No exceptions are allowed.
-
-Note: This policy setting will not be applied until the system is rebooted.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Restrict Unauthenticated RPC clients*
--   GP name: *RpcRestrictRemoteClients*
--   GP path: *System/Remote Procedure Call*
--   GP ADMX file name: *rpc.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-
-<p style="margin-left: 20px">When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
-
-<p style="margin-left: 20px">When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether search can leverage location information.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-allowusingdiacritics"></a>**Search/AllowUsingDiacritics**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the use of diacritics.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-alwaysuseautolangdetection"></a>**Search/AlwaysUseAutoLangDetection**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to always use automatic language detection when indexing content and properties.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-disablebackoff"></a>**Search/DisableBackoff**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Disable.
--   1 – Enable.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-disableremovabledriveindexing"></a>**Search/DisableRemovableDriveIndexing**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">This policy setting configures whether or not locations on removable drives can be added to libraries.
-
-<p style="margin-left: 20px">If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Disable.
--   1 – Enable.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-preventindexinglowdiskspacemb"></a>**Search/PreventIndexingLowDiskSpaceMB**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
-
-<p style="margin-left: 20px">Enable this policy if computers in your environment have extremely limited hard drive space.
-
-<p style="margin-left: 20px">When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disable.
--   1 (default) – Enable.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-preventremotequeries"></a>**Search/PreventRemoteQueries**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disable.
--   1 (default) – Enable.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies what level of safe search (filtering adult content) is required.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Strict, highest filtering against adult content.
--   1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-allowaddprovisioningpackage"></a>**Security/AllowAddProvisioningPackage**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to install provisioning packages.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy has been deprecated in Windows 10, version 1607
-
-<br>
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Specifies whether the user is allowed to manually install root and intermediate CA certificates.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-allowremoveprovisioningpackage"></a>**Security/AllowRemoveProvisioningPackage**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to remove provisioning packages.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-antitheftmode"></a>**Security/AntiTheftMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
- 
-<p style="margin-left: 20px">Allows or disallow Anti Theft Mode on the device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Don't allow Anti Theft Mode.
--   1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-preventautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
-
-<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Encryption enabled.
--   1 – Encryption disabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
-
-<p style="margin-left: 20px">Allows enterprise to turn on internal storage encryption.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Encryption is not required.
--   1 – Encryption is required.
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-> [!IMPORTANT]
-> If encryption has been enabled, it cannot be turned off by using this policy.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-requireprovisioningpackagesignature"></a>**Security/RequireProvisioningPackageSignature**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not required.
--   1 – Required.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="security-requireretrievehealthcertificateonboot"></a>**Security/RequireRetrieveHealthCertificateOnBoot**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not required.
--   1 – Required.
-
-<p style="margin-left: 20px">Setting this policy to 1 (Required):
-
--   Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
--   Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
-
-> [!NOTE]
-> We recommend that this policy is set to Required after MDM enrollment.
- 
-
-<p style="margin-left: 20px">Most restricted value is 1.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowautoplay"></a>**Settings/AllowAutoPlay**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows the user to change Auto Play settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-> [!NOTE]
-> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowdatasense"></a>**Settings/AllowDataSense**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the user to change Data Sense settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowdatetime"></a>**Settings/AllowDateTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the user to change date and time settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows editing of the device name.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows the user to change the language settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowpowersleep"></a>**Settings/AllowPowerSleep**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows the user to change power and sleep settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowregion"></a>**Settings/AllowRegion**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows the user to change the region settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowsigninoptions"></a>**Settings/AllowSignInOptions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows the user to change sign-in options.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowvpn"></a>**Settings/AllowVPN**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows the user to change VPN settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowworkplace"></a>**Settings/AllowWorkplace**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Allows user to change workplace settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-allowyouraccount"></a>**Settings/AllowYourAccount**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows user to change account settings.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-configuretaskbarcalendar"></a>**Settings/ConfigureTaskbarCalendar**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout.  In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale.  Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – User will be allowed to configure the setting.
--   1  – Don't show additional calendars.
--   2  - Simplified Chinese (Lunar).
--   3  - Traditional Chinese (Lunar).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="settings-pagevisibilitylist"></a>**Settings/PageVisibilityList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to either  prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified.  The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo".  Multiple page identifiers are separated by semicolons.
-
-<p style="margin-left: 20px">The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
-
-<p style="margin-left: 20px">showonly:about;bluetooth
-
-<p style="margin-left: 20px">If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
-
-<p style="margin-left: 20px">The format of the PageVisibilityList value is as follows:
-
--   The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
--   There are two variants: one that shows only the given pages and one which hides the given pages.
--   The first variant starts with the string "showonly:" and the second with the string "hide:".
--	Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
--   Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
-
-<p style="margin-left: 20px">The default value for this setting is an empty string, which is interpreted as show everything.
-
-<p style="margin-left: 20px">Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
-
-<p style="margin-left: 20px">showonly:wi-fi;bluetooth
-
-<p style="margin-left: 20px">Example 2, specifies that the wifi page should not be shown:
-
-<p style="margin-left: 20px">hide:wifi
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Open System Settings and verfiy that the About page is visible and accessible.
-2.   Configure the policy with the following string: "hide:about".
-3.   Open System Settings again and verify that the About page is no longer accessible.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
--   1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Turns off SmartScreen in Windows.
--   1 – Turns on SmartScreen in Windows.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Employees can ignore SmartScreen warnings and run malicious files.
--   1 – Employees cannot ignore SmartScreen warnings and run malicious files.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="speech-allowspeechmodelupdate"></a>**Speech/AllowSpeechModelUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderdocuments"></a>**Start/AllowPinnedFolderDocuments**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderdownloads"></a>**Start/AllowPinnedFolderDownloads**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderfileexplorer"></a>**Start/AllowPinnedFolderFileExplorer**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderhomegroup"></a>**Start/AllowPinnedFolderHomeGroup**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfoldermusic"></a>**Start/AllowPinnedFolderMusic**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfoldernetwork"></a>**Start/AllowPinnedFolderNetwork**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderpersonalfolder"></a>**Start/AllowPinnedFolderPersonalFolder**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfolderpictures"></a>**Start/AllowPinnedFolderPictures**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfoldersettings"></a>**Start/AllowPinnedFolderSettings**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-allowpinnedfoldervideos"></a>**Start/AllowPinnedFolderVideos**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – The shortcut is hidden and disables the setting in the Settings app.
--   1 – The shortcut is visible and disables the setting in the Settings app.
--   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-forcestartsize"></a>**Start/ForceStartSize**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-<p style="margin-left: 20px">Forces the start screen size.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Do not force size of Start.
--   1 – Force non-fullscreen size of Start.
--   2 - Force a fullscreen size of Start.
-
-<p style="margin-left: 20px">If there is policy configuration conflict, the latest configuration request is applied to the device.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hideapplist"></a>**Start/HideAppList**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – None.
--   1 – Hide all apps list.
--   2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
--   3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
--   1 - Enable policy and restart explorer.exe
--   2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
--   2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
--   2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidechangeaccountsettings"></a>**Start/HideChangeAccountSettings**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the user tile, and verify that "Change account settings" is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidefrequentlyusedapps"></a>**Start/HideFrequentlyUsedApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable "Show most used apps" in the Settings app.
-2.   Use some apps to get them into the most used group in Start.
-3.   Enable policy.
-4.   Restart explorer.exe
-5.   Check that  "Show most used apps" Settings toggle is grayed out.
-6.   Check that most used apps do not appear in Start.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidehibernate"></a>**Start/HideHibernate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Laptop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the Power button, and verify "Hibernate" is not available.
-
-> [!NOTE]
-> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidelock"></a>**Start/HideLock**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the user tile, and verify "Lock" is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidepowerbutton"></a>**Start/HidePowerButton**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, and verify the power button is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hiderecentjumplists"></a>**Start/HideRecentJumplists**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
-2.   Pin Photos to the taskbar, and open some images in the photos app.
-3.   Right click the pinned photos app and verify that a jumplist of recently opened items pops up.
-4.   Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
-5.   Enable policy.
-6.   Restart explorer.exe
-7.   Check that Settings toggle is grayed out.
-8.   Repeat Step 2.
-9.   Right Click pinned photos app and verify that there is no jumplist of recent items.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hiderecentlyaddedapps"></a>**Start/HideRecentlyAddedApps**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable "Show recently added apps" in the Settings app.
-2.   Check if there are recently added apps in Start (if not, install some).
-3.   Enable policy.
-4.   Restart explorer.exe
-5.   Check that "Show recently added apps" Settings toggle is grayed out.
-6.   Check that recently added apps do not appear in Start.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hiderestart"></a>**Start/HideRestart**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hideshutdown"></a>**Start/HideShutDown**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidesignout"></a>**Start/HideSignOut**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the user tile, and verify "Sign out" is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hidesleep"></a>**Start/HideSleep**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the Power button, and verify that "Sleep" is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hideswitchaccount"></a>**Start/HideSwitchAccount**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Open Start, click on the user tile, and verify that "Switch account" is not available.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-hideusertile"></a>**Start/HideUserTile**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (do not hide).
--   1 - True (hide).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Log off.
-3.   Log in, and verify that the user tile is gone from Start.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-importedgeassets"></a>**Start/ImportEdgeAssets**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
-
-> [!IMPORTANT]
-> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
-<p style="margin-left: 20px">The value set for this policy is an XML string containing Edge assets.  An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Set policy with an XML for Edge assets.
-2.   Set StartLayout policy to anything so that it would trigger the Edge assets import.
-3.   Sign out/in.
-4.   Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-nopinningtotaskbar"></a>**Start/NoPinningToTaskbar**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (pinning enabled).
--   1 - True (pinning disabled).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Right click on a program pinned to taskbar.
-3.   Verify that "Unpin from taskbar" menu does not show.
-4.   Open Start and right click on one of the app list icons.
-5.   Verify that More->Pin to taskbar menu does not show.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="start-startlayout"></a>**Start/StartLayout**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
-> -   **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> -   **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
->
->
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
-> -   **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> -   **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
-
-
-<p style="margin-left: 20px">Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
-<p style="margin-left: 20px">This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**  
-
-<!--StartDescription-->
-This policy setting configures whether or not Windows will activate an Enhanced Storage device.
-
-If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
-
-If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not allow Windows to activate Enhanced Storage devices*
--   GP name: *TCGSecurityActivationDisabled*
--   GP path: *System/Enhanced Storage Access*
--   GP ADMX file name: *enhancedstorage.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowbuildpreview"></a>**System/AllowBuildPreview**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
-
-
-<p style="margin-left: 20px">This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
-
-<p style="margin-left: 20px">If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
--   1 – Allowed. Users can make their devices available for downloading and installing preview software.
--   2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowembeddedmode"></a>**System/AllowEmbeddedMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether set general purpose device to be in embedded mode.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Not allowed.
--   1 – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowexperimentation"></a>**System/AllowExperimentation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is not supported in Windows 10, version 1607.
-
-<p style="margin-left: 20px">This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disabled.
--   1 (default) – Permits Microsoft to configure device settings only.
--   2 – Allows Microsoft to conduct full experimentations.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowfontproviders"></a>**System/AllowFontProviders**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
-<p style="margin-left: 20px">Supported values:  
-
--   false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
--   true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
-
-<p style="margin-left: 20px">This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
-
-<p style="margin-left: 20px">This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
-
-> [!Note]  
-> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
-
-<p style="margin-left: 20px">To verify if System/AllowFontProviders is set to true:  
-
--  After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowlocation"></a>**System/AllowLocation**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow app access to the Location service.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
--   1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
--   2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
-
-<p style="margin-left: 20px">When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
-
-<p style="margin-left: 20px">For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. 
--   1 (default) – Allow a storage card.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowtelemetry"></a>**System/AllowTelemetry**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow the device to send diagnostic and usage telemetry data, such as Watson.
-
-<p style="margin-left: 20px">The following tables describe the supported values:
-
-<table style="margin-left: 20px">
-<colgroup>
-<col width="100%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Windows 8.1 Values</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td style="vertical-align:top"><p>0 – Not allowed.</p>
-</td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p> 1 – Allowed, except for Secondary Data Requests.</p></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>2 (default) – Allowed.</p></td>
-</tr>
-</tbody>
-</table>
-
-
-<table style="margin-left: 20px">
-<colgroup>
-<col width="100%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Windows 10 Values</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td style="vertical-align:top"><p>0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.</p>
-<div class="alert">
-<strong>Note</strong>  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
-</div>
-</td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.</p></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.</p></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.</p></td>
-</tr>
-</tbody>
-</table>
-
-
-> [!IMPORTANT]
-> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-allowusertoresetphone"></a>**System/AllowUserToResetPhone**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed to reset to factory default settings.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
-
-<!--StartDescription-->
-N/A
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Boot-Start Driver Initialization Policy*
--   GP name: *POL_DriverLoadPolicy_Name*
--   GP path: *System/Early Launch Antimalware*
--   GP ADMX file name: *earlylauncham.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-disableonedrivefilesync"></a>**System/DisableOneDriveFileSync**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
-
-* Users cannot access OneDrive from the OneDrive app or file picker.
-* Windows Store apps cannot access OneDrive using the WinRT API.
-* OneDrive does not appear in the navigation pane in File Explorer.
-* OneDrive files are not kept in sync with the cloud.
-* Users cannot automatically upload photos and videos from the camera roll folder. 
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – False (sync enabled).
--   1 – True (sync disabled).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Restart machine.
-3.   Verify that OneDrive.exe is not running in Task Manager.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-disablesystemrestore"></a>**System/DisableSystemRestore**  
-
-<!--StartDescription-->
-Allows you to disable System Restore.
-
-This policy setting allows you to turn off System Restore.
-
-System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
-
-If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
-
-If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
-
-Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off System Restore*
--   GP name: *SR_DisableSR*
--   GP path: *System/System Restore*
--   GP ADMX file name: *systemrestore.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *&lt;server&gt;:&lt;port&gt;*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowimelogging"></a>**TextInput/AllowIMELogging**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowimenetworkaccess"></a>**TextInput/AllowIMENetworkAccess**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowinputpanel"></a>**TextInput/AllowInputPanel**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the IT admin to disable the touch/handwriting keyboard on Windows.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowjapaneseimesurrogatepaircharacters"></a>**TextInput/AllowJapaneseIMESurrogatePairCharacters**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the Japanese IME surrogate pair characters.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowjapaneseivscharacters"></a>**TextInput/AllowJapaneseIVSCharacters**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows Japanese Ideographic Variation Sequence (IVS) characters.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowjapanesenonpublishingstandardglyph"></a>**TextInput/AllowJapaneseNonPublishingStandardGlyph**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the Japanese non-publishing standard glyph.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowjapaneseuserdictionary"></a>**TextInput/AllowJapaneseUserDictionary**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the Japanese user dictionary.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowkeyboardtextsuggestions"></a>**TextInput/AllowKeyboardTextSuggestions**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. 
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Disabled.
--   1 (default) – Enabled.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<p style="margin-left: 20px">To validate that text prediction is disabled on Windows 10 for desktop, do the following:
-
-1.  Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
-2.  Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
-3.  Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">This policy has been deprecated.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-allowlanguagefeaturesuninstall"></a>**TextInput/AllowLanguageFeaturesUninstall**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the uninstall of language features, such as spell checkers, on a device.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-excludejapaneseimeexceptjis0208"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – No characters are filtered.
--   1 – All characters except JIS0208 are filtered.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-excludejapaneseimeexceptjis0208andeudc"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – No characters are filtered.
--   1 – All characters except JIS0208 and EUDC are filtered.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="textinput-excludejapaneseimeexceptshiftjis"></a>**TextInput/ExcludeJapaneseIMEExceptShiftJIS**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – No characters are filtered.
--   1 – All characters except ShiftJIS are filtered.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="timelanguagesettings-allowset24hourclock"></a>**TimeLanguageSettings/AllowSet24HourClock**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Locale default setting.
--   1 (default) – Set 24 hour clock.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
-
-> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
-
-<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
-<p style="margin-left: 20px">The default is 17 (5 PM).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
-<p style="margin-left: 20px">Supported values are 8-18.
-
-<p style="margin-left: 20px">The default value is 18 (hours).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
-
-> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
-
-<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
-<p style="margin-left: 20px">The default value is 8 (8 AM).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-autorestartdeadlineperiodindays"></a>**Update/AutoRestartDeadlinePeriodInDays**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
-
-<p style="margin-left: 20px">Supported values are 2-30 days.
-
-<p style="margin-left: 20px">The default value is 7 days.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
-<p style="margin-left: 20px">Supported operations are Get and Replace.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
--   1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
--   2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
--   3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
--   4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
--   5 – Turn off automatic updates.
-
-> [!IMPORTANT]
-> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
- 
-
-<p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed or not configured.
--   1 – Allowed. Accepts updates received through Microsoft Update.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
-
-<p style="margin-left: 20px">Supported operations are Get and Replace.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
--   1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-
-<p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
-
-<p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
-
-<p style="margin-left: 20px">Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Update service is not allowed.
--   1 (default) – Update service is allowed.
-
-> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
-<p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-<p style="margin-left: 20px">The default value is 15 (minutes).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   1 (default) – Auto Dismissal.
--   2 – User Dismissal.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   16 (default) – User gets all applicable upgrades from Current Branch (CB).
--   32 – User gets upgrades from Current Branch for Business (CBB).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
-<p style="margin-left: 20px">Supported values are 0-365 days.
-
-> [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
-<p style="margin-left: 20px">Supported values are 0-30.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
-
-<p style="margin-left: 20px">Allows IT Admins to specify update delays for up to 4 weeks.
-
-<p style="margin-left: 20px">Supported values are 0-4, which refers to the number of weeks to defer updates.
-
-<p style="margin-left: 20px">In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
-
--   Update/RequireDeferUpgrade must be set to 1
--   System/AllowTelemetry must be set to 1 or higher
-
-<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<p style="margin-left: 20px">If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<table style="margin-left: 20px">
-<colgroup>
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-<col width="25%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Update category</th>
-<th>Maximum deferral</th>
-<th>Deferral increment</th>
-<th>Update type/notes</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td style="vertical-align:top"><p>OS upgrade</p></td>
-<td style="vertical-align:top"><p>8 months</p></td>
-<td style="vertical-align:top"><p>1 month</p></td>
-<td style="vertical-align:top"><p>Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</p></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Update</p></td>
-<td style="vertical-align:top"><p>1 month</p></td>
-<td style="vertical-align:top"><p>1 week</p></td>
-<td style="vertical-align:top"><div class="alert">
-<strong>Note</strong>
-If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
-</div>
-<ul>
-<li>Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441</li>
-<li>Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4</li>
-<li>Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F</li>
-<li>Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828</li>
-<li>Tools - B4832BD8-E735-4761-8DAF-37F882276DAB</li>
-<li>Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F</li>
-<li>Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</li>
-<li>Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>Other/cannot defer</p></td>
-<td style="vertical-align:top"><p>No deferral</p></td>
-<td style="vertical-align:top"><p>No deferral</p></td>
-<td style="vertical-align:top"><p>Any update category not specifically enumerated above falls into this category.</p>
-<p>Definition Update - E0789628-CE08-4437-BE74-2495B842F43B</p></td>
-</tr>
-</tbody>
-</table>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
->
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
-
-<p style="margin-left: 20px">Allows IT Admins to specify additional upgrade delays for up to 8 months.
-
-<p style="margin-left: 20px">Supported values are 0-8, which refers to the number of months to defer upgrades.
-
-<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-detectionfrequency"></a>**Update/DetectionFrequency**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period.  If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
-
-<p style="margin-left: 20px">Supported values are 2-30 days.
-
-<p style="margin-left: 20px">The default value is 0 days (not specified).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
-<p style="margin-left: 20px">Supported values are 1-3 days.
-
-<p style="margin-left: 20px">The default value is 3 days.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
-<p style="margin-left: 20px">Supported values are 2-30 days.
-
-<p style="margin-left: 20px">The default value is 7 days.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Allow Windows Update drivers.
--   1 – Exclude Windows Update drivers.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-fillemptycontenturls"></a>**Update/FillEmptyContentUrls**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata.  This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the <a href="#update-updateserviceurlalternate">alternate download URL</a>).
-
-> [!NOTE]
-> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache.  This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Disabled.
--   1 – Enabled.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Do not ignore MO download limit for apps and their updates.
--   1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
-<p style="margin-left: 20px">To validate this policy:
-
-1.  Enable the policy ensure the device is on a cellular network.
-2.  Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: 
-      - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
-      - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3.   Verify that any downloads that are above the download size limit will complete without being paused.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Do not ignore MO download limit for OS updates.
--   1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
-<p style="margin-left: 20px">To validate this policy:
-
-1.  Enable the policy and ensure the device is on a cellular network.
-2.  Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: 
-      - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3.   Verify that any downloads that are above the download size limit will complete without being paused.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
-
-<p style="margin-left: 20px">Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Deferrals are not paused.
--   1 – Deferrals are paused.
-
-<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Feature Updates are not paused.
--   1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-PauseFeatureUpdatesStartTime"></a>**Update/PauseFeatureUpdatesStartTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
-
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Quality Updates are not paused.
--   1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-PauseQualityUpdatesStartTime"></a>**Update/PauseQualityUpdatesStartTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
-
-<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
-
-<p style="margin-left: 20px">Allows the IT admin to set a device to CBB train.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – User gets upgrades from Current Branch.
--   1 – User gets upgrades from Current Branch for Business.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-<br>
-
-> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
-
-<p style="margin-left: 20px">Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
-
-<p style="margin-left: 20px">Supported operations are Get and Replace.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not configured. The device installs all applicable updates.
--   1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
-<p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
-
-<p style="margin-left: 20px">The default value is 15 (minutes).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
-
-<p style="margin-left: 20px">Supported values are 2, 4, 8, 12, or 24 (hours).
-
-<p style="margin-left: 20px">The default value is 4 (hours).
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
-
-<p style="margin-left: 20px">The data type is a integer.
-
-<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Every day
--   1 – Sunday
--   2 – Monday
--   3 – Tuesday
--   4 – Wednesday
--   5 – Thursday
--   6 – Friday
--   7 – Saturday
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstalleveryweek"></a>**Update/ScheduledInstallEveryWeek**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
-<ul>
-<li>0 - no update in the schedule</li>
-<li>1 - update is scheduled every week</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstallfirstweek"></a>**Update/ScheduledInstallFirstWeek**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
-<ul>
-<li>0 - no update in the schedule</li>
-<li>1 - update is scheduled every first week of the month</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstallfourthweek"></a>**Update/ScheduledInstallFourthWeek**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
-<ul>
-<li>0 - no update in the schedule</li>
-<li>1 - update is scheduled every fourth week of the month</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstallsecondweek"></a>**Update/ScheduledInstallSecondWeek**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
-<ul>
-<li>0 - no update in the schedule</li>
-<li>1 - update is scheduled every second week of the month</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstallthirdweek"></a>**Update/ScheduledInstallThirdWeek**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
-<ul>
-<li>0 - no update in the schedule</li>
-<li>1 - update is scheduled every third week of the month</li>
-</ul>
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Enables the IT admin to schedule the time of the update installation.
-
-<p style="margin-left: 20px">The data type is a integer.
-
-<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
-
-<p style="margin-left: 20px">Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
-<p style="margin-left: 20px">The default value is 3.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark"/></td>
-	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 (default) – Enabled
--   1 – Disabled
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-setedurestart"></a>**Update/SetEDURestart**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
-- 0 - not configured
-- 1 - configured
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-> [!Important]  
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-
-<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
-
-<p style="margin-left: 20px">Supported operations are Get and Replace.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   Not configured. The device checks for updates from Microsoft Update.
--   Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
-
-Example
-
-``` syntax
-        <Replace>
-            <CmdID>$CmdID$</CmdID>
-            <Item>
-                <Meta>
-                    <Format>chr</Format>
-                    <Type>text/plain</Type>
-                </Meta>
-                <Target>
-                    <LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
-                </Target>
-                <Data>http://abcd-srv:8530</Data>
-            </Item>
-        </Replace>
-```
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
-<p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
-<p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
-<p style="margin-left: 20px">To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.  An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
-<p style="margin-left: 20px">Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
-
-> [!Note]  
-> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.  
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.  
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">This policy has been deprecated.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowautoconnecttowifisensehotspots"></a>**Wifi/AllowAutoConnectToWiFiSenseHotspots**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow or disallow the device to automatically connect to Wi-Fi hotspots.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowinternetsharing"></a>**Wifi/AllowInternetSharing**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow or disallow internet sharing.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – Do not allow the use of Internet Sharing.
--   1 (default) – Allow the use of Internet Sharing.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowmanualwificonfiguration"></a>**Wifi/AllowManualWiFiConfiguration**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
--   1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-> [!NOTE]
-> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowwifi"></a>**Wifi/AllowWiFi**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow or disallow WiFi connection.
-
-<p style="margin-left: 20px">The following list shows the supported values:
-
--   0 – WiFi connection is not allowed.
--   1 (default) – WiFi connection is allowed.
-
-<p style="margin-left: 20px">Most restricted value is 0.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-allowwifidirect"></a>**Wifi/AllowWiFiDirect**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
-- 0 - WiFi Direct connection is not allowed.
-- 1 - WiFi Direct connection is allowed.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wifi-wlanscanmode"></a>**Wifi/WLANScanMode**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
-
-<p style="margin-left: 20px">Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
-
-<p style="margin-left: 20px">The default value is 0.
-
-<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
-
-<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
-
--   0 - app suggestions are not allowed.
--   1 (default) -allow app suggestions.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="windowsinkworkspace-allowwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowWindowsInkWorkspace**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
-
-<p style="margin-left: 20px">Value type is int. The following list shows the supported values:
-
--   0 - access to ink workspace is disabled. The feature is turned off.
--   1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
--   2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**  
-
-<!--StartDescription-->
-This policy setting allows you to prevent app notifications from appearing on the lock screen.
-
-If you enable this policy setting, no app notifications are displayed on the lock screen.
-
-If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Turn off app notifications on the lock screen*
--   GP name: *DisableLockScreenAppNotifications*
--   GP path: *System/Logon*
--   GP ADMX file name: *logon.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**  
-
-<!--StartDescription-->
-This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
-
-If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
-
-If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
-
-<!--EndDescription-->
-<!--StartADMX-->
-ADMX Info:  
--   GP english name: *Do not display network selection UI*
--   GP name: *DontDisplayNetworkSelectionUI*
--   GP path: *System/Logon*
--   GP ADMX file name: *logon.admx*
-
-<!--EndADMX-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
-
-<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
-
--   0 (default) - Diabled (visible).
--   1 - Enabled (hidden).
-
-<p style="margin-left: 20px">To validate on Desktop, do the following:
-
-1.   Enable policy.
-2.   Verify that the Switch account button in Start is hidden.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.  
-
-- 0 - your PC cannot discover or project to other devices.
-- 1 - your PC can discover and project to other devices
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.  
-
-- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
-- 1 - your PC can discover and project to other devices over infrastructure.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-allowprojectiontopc"></a>**WirelessDisplay/AllowProjectionToPC**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
-
-<p style="margin-left: 20px">If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
-
-<p style="margin-left: 20px">Value type is integer. Valid value:
-
--   0 - projection to PC is not allowed. Always off and the user cannot enable it.
--   1 (default) - projection to PC is allowed. Enabled only above the lock screen.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-Allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.  
-
-- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
-- 1 - your PC is discoverable and other devices can project to it over infrastructure.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="wirelessdisplay-requirepinforpairing"></a>**WirelessDisplay/RequirePinForPairing**  
-
-<!--StartSKU-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>MobileEnterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--EndSKU-->
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
-
-<p style="margin-left: 20px">If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
-
-<p style="margin-left: 20px">Value type is integer. Valid value:
-
--   0 (default) - PIN is not required.
--   1 - PIN is required.
-
-<!--EndDescription-->
-<!--EndPolicy-->
-<hr/>
-
-Footnote:
-
--   1 - Added in Windows 10, version 1607.
--   2 - Added in Windows 10, version 1703.
-
-<!--EndPolicies-->
+## Policies
+
+### AboveLock policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-abovelock.md#abovelock-allowactioncenternotifications" id="abovelock-allowactioncenternotifications">AboveLock/AllowActionCenterNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-abovelock.md#abovelock-allowcortanaabovelock" id="abovelock-allowcortanaabovelock">AboveLock/AllowCortanaAboveLock</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-abovelock.md#abovelock-allowtoasts" id="abovelock-allowtoasts">AboveLock/AllowToasts</a>
+  </dd>
+</dl>
+
+### Accounts policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-accounts.md#accounts-allowaddingnonmicrosoftaccountsmanually" id="accounts-allowaddingnonmicrosoftaccountsmanually">Accounts/AllowAddingNonMicrosoftAccountsManually</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection" id="accounts-allowmicrosoftaccountconnection">Accounts/AllowMicrosoftAccountConnection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-accounts.md#accounts-allowmicrosoftaccountsigninassistant" id="accounts-allowmicrosoftaccountsigninassistant">Accounts/AllowMicrosoftAccountSignInAssistant</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-accounts.md#accounts-domainnamesforemailsync" id="accounts-domainnamesforemailsync">Accounts/DomainNamesForEmailSync</a>
+  </dd>
+</dl>
+
+### ActiveXControls policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites" id="activexcontrols-approvedinstallationsites">ActiveXControls/ApprovedInstallationSites</a>
+  </dd>
+</dl>
+
+### ApplicationDefaults policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration" id="applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
+  </dd>
+</dl>
+
+### ApplicationManagement policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps" id="applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate" id="applicationmanagement-allowappstoreautoupdate">ApplicationManagement/AllowAppStoreAutoUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock" id="applicationmanagement-allowdeveloperunlock">ApplicationManagement/AllowDeveloperUnlock</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr" id="applicationmanagement-allowgamedvr">ApplicationManagement/AllowGameDVR</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata" id="applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowstore" id="applicationmanagement-allowstore">ApplicationManagement/AllowStore</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-applicationrestrictions" id="applicationmanagement-applicationrestrictions">ApplicationManagement/ApplicationRestrictions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly" id="applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume" id="applicationmanagement-restrictappdatatosystemvolume">ApplicationManagement/RestrictAppDataToSystemVolume</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume" id="applicationmanagement-restrictapptosystemvolume">ApplicationManagement/RestrictAppToSystemVolume</a>
+  </dd>
+</dl>
+
+### AppVirtualization policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowappvclient" id="appvirtualization-allowappvclient">AppVirtualization/AllowAppVClient</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization" id="appvirtualization-allowdynamicvirtualization">AppVirtualization/AllowDynamicVirtualization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup" id="appvirtualization-allowpackagecleanup">AppVirtualization/AllowPackageCleanup</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts" id="appvirtualization-allowpackagescripts">AppVirtualization/AllowPackageScripts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux" id="appvirtualization-allowpublishingrefreshux">AppVirtualization/AllowPublishingRefreshUX</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver" id="appvirtualization-allowreportingserver">AppVirtualization/AllowReportingServer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions" id="appvirtualization-allowroamingfileexclusions">AppVirtualization/AllowRoamingFileExclusions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions" id="appvirtualization-allowroamingregistryexclusions">AppVirtualization/AllowRoamingRegistryExclusions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload" id="appvirtualization-allowstreamingautoload">AppVirtualization/AllowStreamingAutoload</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode" id="appvirtualization-clientcoexistenceallowmigrationmode">AppVirtualization/ClientCoexistenceAllowMigrationmode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal" id="appvirtualization-integrationallowrootglobal">AppVirtualization/IntegrationAllowRootGlobal</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser" id="appvirtualization-integrationallowrootuser">AppVirtualization/IntegrationAllowRootUser</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1" id="appvirtualization-publishingallowserver1">AppVirtualization/PublishingAllowServer1</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2" id="appvirtualization-publishingallowserver2">AppVirtualization/PublishingAllowServer2</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3" id="appvirtualization-publishingallowserver3">AppVirtualization/PublishingAllowServer3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4" id="appvirtualization-publishingallowserver4">AppVirtualization/PublishingAllowServer4</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5" id="appvirtualization-publishingallowserver5">AppVirtualization/PublishingAllowServer5</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl" id="appvirtualization-streamingallowcertificatefilterforclient-ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch" id="appvirtualization-streamingallowhighcostlaunch">AppVirtualization/StreamingAllowHighCostLaunch</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider" id="appvirtualization-streamingallowlocationprovider">AppVirtualization/StreamingAllowLocationProvider</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot" id="appvirtualization-streamingallowpackageinstallationroot">AppVirtualization/StreamingAllowPackageInstallationRoot</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot" id="appvirtualization-streamingallowpackagesourceroot">AppVirtualization/StreamingAllowPackageSourceRoot</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval" id="appvirtualization-streamingallowreestablishmentinterval">AppVirtualization/StreamingAllowReestablishmentInterval</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries" id="appvirtualization-streamingallowreestablishmentretries">AppVirtualization/StreamingAllowReestablishmentRetries</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode" id="appvirtualization-streamingsharedcontentstoremode">AppVirtualization/StreamingSharedContentStoreMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache" id="appvirtualization-streamingsupportbranchcache">AppVirtualization/StreamingSupportBranchCache</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist" id="appvirtualization-streamingverifycertificaterevocationlist">AppVirtualization/StreamingVerifyCertificateRevocationList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist" id="appvirtualization-virtualcomponentsallowlist">AppVirtualization/VirtualComponentsAllowList</a>
+  </dd>
+</dl>
+
+### AttachmentManager policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation" id="attachmentmanager-donotpreservezoneinformation">AttachmentManager/DoNotPreserveZoneInformation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism" id="attachmentmanager-hidezoneinfomechanism">AttachmentManager/HideZoneInfoMechanism</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms" id="attachmentmanager-notifyantivirusprograms">AttachmentManager/NotifyAntivirusPrograms</a>
+  </dd>
+</dl>
+
+### Authentication policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-alloweapcertsso" id="authentication-alloweapcertsso">Authentication/AllowEAPCertSSO</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-allowfastreconnect" id="authentication-allowfastreconnect">Authentication/AllowFastReconnect</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
+  </dd>
+</dl>
+
+### Autoplay policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices" id="autoplay-disallowautoplayfornonvolumedevices">Autoplay/DisallowAutoplayForNonVolumeDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior" id="autoplay-setdefaultautorunbehavior">Autoplay/SetDefaultAutoRunBehavior</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-autoplay.md#autoplay-turnoffautoplay" id="autoplay-turnoffautoplay">Autoplay/TurnOffAutoPlay</a>
+  </dd>
+</dl>
+
+### Bitlocker policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
+  </dd>
+</dl>
+
+### Bluetooth policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-bluetooth.md#bluetooth-allowadvertising" id="bluetooth-allowadvertising">Bluetooth/AllowAdvertising</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode" id="bluetooth-allowdiscoverablemode">Bluetooth/AllowDiscoverableMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-bluetooth.md#bluetooth-allowprepairing" id="bluetooth-allowprepairing">Bluetooth/AllowPrepairing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-bluetooth.md#bluetooth-localdevicename" id="bluetooth-localdevicename">Bluetooth/LocalDeviceName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-bluetooth.md#bluetooth-servicesallowedlist" id="bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
+  </dd>
+</dl>
+
+### Browser policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowaddressbardropdown" id="browser-allowaddressbardropdown">Browser/AllowAddressBarDropdown</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowautofill" id="browser-allowautofill">Browser/AllowAutofill</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowbrowser" id="browser-allowbrowser">Browser/AllowBrowser</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowcookies" id="browser-allowcookies">Browser/AllowCookies</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowdevelopertools" id="browser-allowdevelopertools">Browser/AllowDeveloperTools</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowdonottrack" id="browser-allowdonottrack">Browser/AllowDoNotTrack</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowextensions" id="browser-allowextensions">Browser/AllowExtensions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowflash" id="browser-allowflash">Browser/AllowFlash</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowflashclicktorun" id="browser-allowflashclicktorun">Browser/AllowFlashClickToRun</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowinprivate" id="browser-allowinprivate">Browser/AllowInPrivate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist" id="browser-allowmicrosoftcompatibilitylist">Browser/AllowMicrosoftCompatibilityList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowpasswordmanager" id="browser-allowpasswordmanager">Browser/AllowPasswordManager</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowpopups" id="browser-allowpopups">Browser/AllowPopups</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowsearchenginecustomization" id="browser-allowsearchenginecustomization">Browser/AllowSearchEngineCustomization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar" id="browser-allowsearchsuggestionsinaddressbar">Browser/AllowSearchSuggestionsinAddressBar</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-allowsmartscreen" id="browser-allowsmartscreen">Browser/AllowSmartScreen</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-clearbrowsingdataonexit" id="browser-clearbrowsingdataonexit">Browser/ClearBrowsingDataOnExit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-configureadditionalsearchengines" id="browser-configureadditionalsearchengines">Browser/ConfigureAdditionalSearchEngines</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-disablelockdownofstartpages" id="browser-disablelockdownofstartpages">Browser/DisableLockdownOfStartPages</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-enterprisemodesitelist" id="browser-enterprisemodesitelist">Browser/EnterpriseModeSiteList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-enterprisesitelistserviceurl" id="browser-enterprisesitelistserviceurl">Browser/EnterpriseSiteListServiceUrl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-firstrunurl" id="browser-firstrunurl">Browser/FirstRunURL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventfirstrunpage" id="browser-preventfirstrunpage">Browser/PreventFirstRunPage</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventlivetiledatacollection" id="browser-preventlivetiledatacollection">Browser/PreventLiveTileDataCollection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventsmartscreenpromptoverride" id="browser-preventsmartscreenpromptoverride">Browser/PreventSmartScreenPromptOverride</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles" id="browser-preventsmartscreenpromptoverrideforfiles">Browser/PreventSmartScreenPromptOverrideForFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-setdefaultsearchengine" id="browser-setdefaultsearchengine">Browser/SetDefaultSearchEngine</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer" id="browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge" id="browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
+  </dd>
+</dl>
+
+### Camera policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-camera.md#camera-allowcamera" id="camera-allowcamera">Camera/AllowCamera</a>
+  </dd>
+</dl>
+
+### Cellular policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-cellular.md#cellular-showappcellularaccessui" id="cellular-showappcellularaccessui">Cellular/ShowAppCellularAccessUI</a>
+  </dd>
+</dl>
+
+### Connectivity policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowbluetooth" id="connectivity-allowbluetooth">Connectivity/AllowBluetooth</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowcellulardata" id="connectivity-allowcellulardata">Connectivity/AllowCellularData</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowcellulardataroaming" id="connectivity-allowcellulardataroaming">Connectivity/AllowCellularDataRoaming</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowconnecteddevices" id="connectivity-allowconnecteddevices">Connectivity/AllowConnectedDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allownfc" id="connectivity-allownfc">Connectivity/AllowNFC</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowusbconnection" id="connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowvpnovercellular" id="connectivity-allowvpnovercellular">Connectivity/AllowVPNOverCellular</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-allowvpnroamingovercellular" id="connectivity-allowvpnroamingovercellular">Connectivity/AllowVPNRoamingOverCellular</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-diableprintingoverhttp" id="connectivity-diableprintingoverhttp">Connectivity/DiablePrintingOverHTTP</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp" id="connectivity-disabledownloadingofprintdriversoverhttp">Connectivity/DisableDownloadingOfPrintDriversOverHTTP</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards">Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-hardeneduncpaths" id="connectivity-hardeneduncpaths">Connectivity/HardenedUNCPaths</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge">Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge</a>
+  </dd>
+</dl>
+
+### CredentialProviders policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon" id="credentialproviders-allowpinlogon">CredentialProviders/AllowPINLogon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
+  </dd>
+</dl>
+
+### CredentialsUI policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal" id="credentialsui-disablepasswordreveal">CredentialsUI/DisablePasswordReveal</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-credentialsui.md#credentialsui-enumerateadministrators" id="credentialsui-enumerateadministrators">CredentialsUI/EnumerateAdministrators</a>
+  </dd>
+</dl>
+
+### Cryptography policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy" id="cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
+  </dd>
+</dl>
+
+### DataProtection policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess" id="dataprotection-allowdirectmemoryaccess">DataProtection/AllowDirectMemoryAccess</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-dataprotection.md#dataprotection-legacyselectivewipeid" id="dataprotection-legacyselectivewipeid">DataProtection/LegacySelectiveWipeID</a>
+  </dd>
+</dl>
+
+### DataUsage policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-datausage.md#datausage-setcost3g" id="datausage-setcost3g">DataUsage/SetCost3G</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-datausage.md#datausage-setcost4g" id="datausage-setcost4g">DataUsage/SetCost4G</a>
+  </dd>
+</dl>
+
+### Defender policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowarchivescanning" id="defender-allowarchivescanning">Defender/AllowArchiveScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowbehaviormonitoring" id="defender-allowbehaviormonitoring">Defender/AllowBehaviorMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowcloudprotection" id="defender-allowcloudprotection">Defender/AllowCloudProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowemailscanning" id="defender-allowemailscanning">Defender/AllowEmailScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives" id="defender-allowfullscanonmappednetworkdrives">Defender/AllowFullScanOnMappedNetworkDrives</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning" id="defender-allowfullscanremovabledrivescanning">Defender/AllowFullScanRemovableDriveScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowioavprotection" id="defender-allowioavprotection">Defender/AllowIOAVProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowintrusionpreventionsystem" id="defender-allowintrusionpreventionsystem">Defender/AllowIntrusionPreventionSystem</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowonaccessprotection" id="defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowrealtimemonitoring" id="defender-allowrealtimemonitoring">Defender/AllowRealtimeMonitoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowscanningnetworkfiles" id="defender-allowscanningnetworkfiles">Defender/AllowScanningNetworkFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowscriptscanning" id="defender-allowscriptscanning">Defender/AllowScriptScanning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-allowuseruiaccess" id="defender-allowuseruiaccess">Defender/AllowUserUIAccess</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions" id="defender-attacksurfacereductiononlyexclusions">Defender/AttackSurfaceReductionOnlyExclusions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-attacksurfacereductionrules" id="defender-attacksurfacereductionrules">Defender/AttackSurfaceReductionRules</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-avgcpuloadfactor" id="defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-cloudblocklevel" id="defender-cloudblocklevel">Defender/CloudBlockLevel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-cloudextendedtimeout" id="defender-cloudextendedtimeout">Defender/CloudExtendedTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-enableguardmyfolders" id="defender-enableguardmyfolders">Defender/EnableGuardMyFolders</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-excludedextensions" id="defender-excludedextensions">Defender/ExcludedExtensions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-excludedpaths" id="defender-excludedpaths">Defender/ExcludedPaths</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-guardedfoldersallowedapplications" id="defender-guardedfoldersallowedapplications">Defender/GuardedFoldersAllowedApplications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-guardedfolderslist" id="defender-guardedfolderslist">Defender/GuardedFoldersList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-realtimescandirection" id="defender-realtimescandirection">Defender/RealTimeScanDirection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-scanparameter" id="defender-scanparameter">Defender/ScanParameter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-schedulequickscantime" id="defender-schedulequickscantime">Defender/ScheduleQuickScanTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-schedulescanday" id="defender-schedulescanday">Defender/ScheduleScanDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-schedulescantime" id="defender-schedulescantime">Defender/ScheduleScanTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-signatureupdateinterval" id="defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-submitsamplesconsent" id="defender-submitsamplesconsent">Defender/SubmitSamplesConsent</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-defender.md#defender-threatseveritydefaultaction" id="defender-threatseveritydefaultaction">Defender/ThreatSeverityDefaultAction</a>
+  </dd>
+</dl>
+
+### DeliveryOptimization policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize" id="deliveryoptimization-doabsolutemaxcachesize">DeliveryOptimization/DOAbsoluteMaxCacheSize</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching" id="deliveryoptimization-doallowvpnpeercaching">DeliveryOptimization/DOAllowVPNPeerCaching</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode" id="deliveryoptimization-dodownloadmode">DeliveryOptimization/DODownloadMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid" id="deliveryoptimization-dogroupid">DeliveryOptimization/DOGroupId</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage" id="deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize" id="deliveryoptimization-domaxcachesize">DeliveryOptimization/DOMaxCacheSize</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos" id="deliveryoptimization-dominbackgroundqos">DeliveryOptimization/DOMinBackgroundQos</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload" id="deliveryoptimization-dominbatterypercentageallowedtoupload">DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer" id="deliveryoptimization-domindisksizeallowedtopeer">DeliveryOptimization/DOMinDiskSizeAllowedToPeer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache" id="deliveryoptimization-dominfilesizetocache">DeliveryOptimization/DOMinFileSizeToCache</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer" id="deliveryoptimization-dominramallowedtopeer">DeliveryOptimization/DOMinRAMAllowedToPeer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive" id="deliveryoptimization-domodifycachedrive">DeliveryOptimization/DOModifyCacheDrive</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap" id="deliveryoptimization-domonthlyuploaddatacap">DeliveryOptimization/DOMonthlyUploadDataCap</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a>
+  </dd>
+</dl>
+
+### Desktop policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders" id="desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a>
+  </dd>
+</dl>
+
+### DeviceGuard policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deviceguard.md#deviceguard-lsacfgflags" id="deviceguard-lsacfgflags">DeviceGuard/LsaCfgFlags</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures" id="deviceguard-requireplatformsecurityfeatures">DeviceGuard/RequirePlatformSecurityFeatures</a>
+  </dd>
+</dl>
+
+### DeviceInstallation policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids" id="deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses">DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</a>
+  </dd>
+</dl>
+
+### DeviceLock policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword" id="devicelock-allowidlereturnwithoutpassword">DeviceLock/AllowIdleReturnWithoutPassword</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-allowscreentimeoutwhilelockeduserconfig" id="devicelock-allowscreentimeoutwhilelockeduserconfig">DeviceLock/AllowScreenTimeoutWhileLockedUserConfig</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-allowsimpledevicepassword" id="devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired" id="devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordenabled" id="devicelock-devicepasswordenabled">DeviceLock/DevicePasswordEnabled</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordexpiration" id="devicelock-devicepasswordexpiration">DeviceLock/DevicePasswordExpiration</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordhistory" id="devicelock-devicepasswordhistory">DeviceLock/DevicePasswordHistory</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-enforcelockscreenandlogonimage" id="devicelock-enforcelockscreenandlogonimage">DeviceLock/EnforceLockScreenAndLogonImage</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-enforcelockscreenprovider" id="devicelock-enforcelockscreenprovider">DeviceLock/EnforceLockScreenProvider</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts" id="devicelock-maxdevicepasswordfailedattempts">DeviceLock/MaxDevicePasswordFailedAttempts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock" id="devicelock-maxinactivitytimedevicelock">DeviceLock/MaxInactivityTimeDeviceLock</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelockwithexternaldisplay" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay">DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters" id="devicelock-mindevicepasswordcomplexcharacters">DeviceLock/MinDevicePasswordComplexCharacters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-mindevicepasswordlength" id="devicelock-mindevicepasswordlength">DeviceLock/MinDevicePasswordLength</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow" id="devicelock-preventlockscreenslideshow">DeviceLock/PreventLockScreenSlideShow</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-devicelock.md#devicelock-screentimeoutwhilelocked" id="devicelock-screentimeoutwhilelocked">DeviceLock/ScreenTimeoutWhileLocked</a>
+  </dd>
+</dl>
+
+### Display policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-display.md#display-turnoffgdidpiscalingforapps" id="display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-display.md#display-turnongdidpiscalingforapps" id="display-turnongdidpiscalingforapps">Display/TurnOnGdiDPIScalingForApps</a>
+  </dd>
+</dl>
+
+### Education policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-education.md#education-defaultprintername" id="education-defaultprintername">Education/DefaultPrinterName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-education.md#education-preventaddingnewprinters" id="education-preventaddingnewprinters">Education/PreventAddingNewPrinters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-education.md#education-printernames" id="education-printernames">Education/PrinterNames</a>
+  </dd>
+</dl>
+
+### EnterpriseCloudPrint policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintoauthauthority" id="enterprisecloudprint-cloudprintoauthauthority">EnterpriseCloudPrint/CloudPrintOAuthAuthority</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintoauthclientid" id="enterprisecloudprint-cloudprintoauthclientid">EnterpriseCloudPrint/CloudPrintOAuthClientId</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintresourceid" id="enterprisecloudprint-cloudprintresourceid">EnterpriseCloudPrint/CloudPrintResourceId</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprinterdiscoveryendpoint" id="enterprisecloudprint-cloudprinterdiscoveryendpoint">EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-discoverymaxprinterlimit" id="enterprisecloudprint-discoverymaxprinterlimit">EnterpriseCloudPrint/DiscoveryMaxPrinterLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-mopriadiscoveryresourceid" id="enterprisecloudprint-mopriadiscoveryresourceid">EnterpriseCloudPrint/MopriaDiscoveryResourceId</a>
+  </dd>
+</dl>
+
+### ErrorReporting policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings" id="errorreporting-customizeconsentsettings">ErrorReporting/CustomizeConsentSettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting" id="errorreporting-disablewindowserrorreporting">ErrorReporting/DisableWindowsErrorReporting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-errorreporting.md#errorreporting-displayerrornotification" id="errorreporting-displayerrornotification">ErrorReporting/DisplayErrorNotification</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata" id="errorreporting-donotsendadditionaldata">ErrorReporting/DoNotSendAdditionalData</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay" id="errorreporting-preventcriticalerrordisplay">ErrorReporting/PreventCriticalErrorDisplay</a>
+  </dd>
+</dl>
+
+### EventLogService policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior" id="eventlogservice-controleventlogbehavior">EventLogService/ControlEventLogBehavior</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog" id="eventlogservice-specifymaximumfilesizeapplicationlog">EventLogService/SpecifyMaximumFileSizeApplicationLog</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog" id="eventlogservice-specifymaximumfilesizesecuritylog">EventLogService/SpecifyMaximumFileSizeSecurityLog</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog" id="eventlogservice-specifymaximumfilesizesystemlog">EventLogService/SpecifyMaximumFileSizeSystemLog</a>
+  </dd>
+</dl>
+
+### Experience policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowcopypaste" id="experience-allowcopypaste">Experience/AllowCopyPaste</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowcortana" id="experience-allowcortana">Experience/AllowCortana</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowdevicediscovery" id="experience-allowdevicediscovery">Experience/AllowDeviceDiscovery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowfindmydevice" id="experience-allowfindmydevice">Experience/AllowFindMyDevice</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowmanualmdmunenrollment" id="experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowsimerrordialogpromptwhennosim" id="experience-allowsimerrordialogpromptwhennosim">Experience/AllowSIMErrorDialogPromptWhenNoSIM</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowscreencapture" id="experience-allowscreencapture">Experience/AllowScreenCapture</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowsyncmysettings" id="experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata" id="experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowtaskswitcher" id="experience-allowtaskswitcher">Experience/AllowTaskSwitcher</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight" id="experience-allowthirdpartysuggestionsinwindowsspotlight">Experience/AllowThirdPartySuggestionsInWindowsSpotlight</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowvoicerecording" id="experience-allowvoicerecording">Experience/AllowVoiceRecording</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowwindowsconsumerfeatures" id="experience-allowwindowsconsumerfeatures">Experience/AllowWindowsConsumerFeatures</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowwindowsspotlight" id="experience-allowwindowsspotlight">Experience/AllowWindowsSpotlight</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter" id="experience-allowwindowsspotlightonactioncenter">Experience/AllowWindowsSpotlightOnActionCenter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience" id="experience-allowwindowsspotlightwindowswelcomeexperience">Experience/AllowWindowsSpotlightWindowsWelcomeExperience</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-allowwindowstips" id="experience-allowwindowstips">Experience/AllowWindowsTips</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen" id="experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-experience.md#experience-donotshowfeedbacknotifications" id="experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
+  </dd>
+</dl>
+
+### Games policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-games.md#games-allowadvancedgamingservices" id="games-allowadvancedgamingservices">Games/AllowAdvancedGamingServices</a>
+  </dd>
+</dl>
+
+### InternetExplorer policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider" id="internetexplorer-addsearchprovider">InternetExplorer/AddSearchProvider</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering" id="internetexplorer-allowactivexfiltering">InternetExplorer/AllowActiveXFiltering</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist" id="internetexplorer-allowaddonlist">InternetExplorer/AllowAddOnList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete" id="internetexplorer-allowautocomplete">InternetExplorer/AllowAutoComplete</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning" id="internetexplorer-allowcertificateaddressmismatchwarning">InternetExplorer/AllowCertificateAddressMismatchWarning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit" id="internetexplorer-allowdeletingbrowsinghistoryonexit">InternetExplorer/AllowDeletingBrowsingHistoryOnExit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode" id="internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu" id="internetexplorer-allowenterprisemodefromtoolsmenu">InternetExplorer/AllowEnterpriseModeFromToolsMenu</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist" id="internetexplorer-allowenterprisemodesitelist">InternetExplorer/AllowEnterpriseModeSiteList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3" id="internetexplorer-allowfallbacktossl3">InternetExplorer/AllowFallbackToSSL3</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist" id="internetexplorer-allowinternetexplorer7policylist">InternetExplorer/AllowInternetExplorer7PolicyList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode" id="internetexplorer-allowinternetexplorerstandardsmode">InternetExplorer/AllowInternetExplorerStandardsMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate" id="internetexplorer-allowinternetzonetemplate">InternetExplorer/AllowInternetZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate" id="internetexplorer-allowintranetzonetemplate">InternetExplorer/AllowIntranetZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate" id="internetexplorer-allowlocalmachinezonetemplate">InternetExplorer/AllowLocalMachineZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate" id="internetexplorer-allowlockeddowninternetzonetemplate">InternetExplorer/AllowLockedDownInternetZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate" id="internetexplorer-allowlockeddownintranetzonetemplate">InternetExplorer/AllowLockedDownIntranetZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate" id="internetexplorer-allowlockeddownlocalmachinezonetemplate">InternetExplorer/AllowLockedDownLocalMachineZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate" id="internetexplorer-allowlockeddownrestrictedsiteszonetemplate">InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry" id="internetexplorer-allowonewordentry">InternetExplorer/AllowOneWordEntry</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist" id="internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid" id="internetexplorer-allowsoftwarewhensignatureisinvalid">InternetExplorer/AllowSoftwareWhenSignatureIsInvalid</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites" id="internetexplorer-allowsuggestedsites">InternetExplorer/AllowSuggestedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate" id="internetexplorer-allowtrustedsiteszonetemplate">InternetExplorer/AllowTrustedSitesZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate" id="internetexplorer-allowslockeddowntrustedsiteszonetemplate">InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate" id="internetexplorer-allowsrestrictedsiteszonetemplate">InternetExplorer/AllowsRestrictedSitesZoneTemplate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation" id="internetexplorer-checkservercertificaterevocation">InternetExplorer/CheckServerCertificateRevocation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms" id="internetexplorer-checksignaturesondownloadedprograms">InternetExplorer/CheckSignaturesOnDownloadedPrograms</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash" id="internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols" id="internetexplorer-disableblockingofoutdatedactivexcontrols">InternetExplorer/DisableBlockingOfOutdatedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings" id="internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory" id="internetexplorer-disableconfiguringhistory">InternetExplorer/DisableConfiguringHistory</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection" id="internetexplorer-disablecrashdetection">InternetExplorer/DisableCrashDetection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation">InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites" id="internetexplorer-disabledeletinguservisitedwebsites">InternetExplorer/DisableDeletingUserVisitedWebsites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading" id="internetexplorer-disableenclosuredownloading">InternetExplorer/DisableEnclosureDownloading</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport" id="internetexplorer-disableencryptionsupport">InternetExplorer/DisableEncryptionSupport</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard" id="internetexplorer-disablefirstrunwizard">InternetExplorer/DisableFirstRunWizard</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature" id="internetexplorer-disableflipaheadfeature">InternetExplorer/DisableFlipAheadFeature</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange" id="internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors" id="internetexplorer-disableignoringcertificateerrors">InternetExplorer/DisableIgnoringCertificateErrors</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing" id="internetexplorer-disableinprivatebrowsing">InternetExplorer/DisableInPrivateBrowsing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode" id="internetexplorer-disableprocessesinenhancedprotectedmode">InternetExplorer/DisableProcessesInEnhancedProtectedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableproxychange" id="internetexplorer-disableproxychange">InternetExplorer/DisableProxyChange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange" id="internetexplorer-disablesearchproviderchange">InternetExplorer/DisableSearchProviderChange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange" id="internetexplorer-disablesecondaryhomepagechange">InternetExplorer/DisableSecondaryHomePageChange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck" id="internetexplorer-disablesecuritysettingscheck">InternetExplorer/DisableSecuritySettingsCheck</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck" id="internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode" id="internetexplorer-donotallowactivexcontrolsinprotectedmode">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites" id="internetexplorer-donotallowuserstoaddsites">InternetExplorer/DoNotAllowUsersToAddSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies" id="internetexplorer-donotallowuserstochangepolicies">InternetExplorer/DoNotAllowUsersToChangePolicies</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols" id="internetexplorer-donotblockoutdatedactivexcontrols">InternetExplorer/DoNotBlockOutdatedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains" id="internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains">InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites" id="internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths" id="internetexplorer-includeallnetworkpaths">InternetExplorer/IncludeAllNetworkPaths</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources" id="internetexplorer-internetzoneallowaccesstodatasources">InternetExplorer/InternetZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript" id="internetexplorer-internetzoneallowcopypasteviascript">InternetExplorer/InternetZoneAllowCopyPasteViaScript</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles" id="internetexplorer-internetzoneallowdraganddropcopyandpastefiles">InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads" id="internetexplorer-internetzoneallowfontdownloads">InternetExplorer/InternetZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites" id="internetexplorer-internetzoneallowlessprivilegedsites">InternetExplorer/InternetZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles" id="internetexplorer-internetzoneallowloadingofxamlfiles">InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents" id="internetexplorer-internetzoneallownetframeworkreliantcomponents">InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows" id="internetexplorer-internetzoneallowscriptinitiatedwindows">InternetExplorer/InternetZoneAllowScriptInitiatedWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets" id="internetexplorer-internetzoneallowscriptlets">InternetExplorer/InternetZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie" id="internetexplorer-internetzoneallowsmartscreenie">InternetExplorer/InternetZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript" id="internetexplorer-internetzoneallowupdatestostatusbarviascript">InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence" id="internetexplorer-internetzoneallowuserdatapersistence">InternetExplorer/InternetZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols" id="internetexplorer-internetzonedownloadsignedactivexcontrols">InternetExplorer/InternetZoneDownloadSignedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols" id="internetexplorer-internetzonedownloadunsignedactivexcontrols">InternetExplorer/InternetZoneDownloadUnsignedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter" id="internetexplorer-internetzoneenablecrosssitescriptingfilter">InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing" id="internetexplorer-internetzoneenablemimesniffing">InternetExplorer/InternetZoneEnableMIMESniffing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode" id="internetexplorer-internetzoneenableprotectedmode">InternetExplorer/InternetZoneEnableProtectedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols">InternetExplorer/InternetZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions" id="internetexplorer-internetzonejavapermissions">InternetExplorer/InternetZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe" id="internetexplorer-internetzonelaunchingapplicationsandfilesiniframe">InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions" id="internetexplorer-internetzonelogonoptions">InternetExplorer/InternetZoneLogonOptions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes" id="internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker" id="internetexplorer-internetzoneusepopupblocker">InternetExplorer/InternetZoneUsePopupBlocker</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone">InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources" id="internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads" id="internetexplorer-intranetzoneallowfontdownloads">InternetExplorer/IntranetZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites" id="internetexplorer-intranetzoneallowlessprivilegedsites">InternetExplorer/IntranetZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents" id="internetexplorer-intranetzoneallownetframeworkreliantcomponents">InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets" id="internetexplorer-intranetzoneallowscriptlets">InternetExplorer/IntranetZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie" id="internetexplorer-intranetzoneallowsmartscreenie">InternetExplorer/IntranetZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence" id="internetexplorer-intranetzoneallowuserdatapersistence">InternetExplorer/IntranetZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions" id="internetexplorer-intranetzonejavapermissions">InternetExplorer/IntranetZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes" id="internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources" id="internetexplorer-localmachinezoneallowaccesstodatasources">InternetExplorer/LocalMachineZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads" id="internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads" id="internetexplorer-localmachinezoneallowfontdownloads">InternetExplorer/LocalMachineZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites" id="internetexplorer-localmachinezoneallowlessprivilegedsites">InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents" id="internetexplorer-localmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets" id="internetexplorer-localmachinezoneallowscriptlets">InternetExplorer/LocalMachineZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie" id="internetexplorer-localmachinezoneallowsmartscreenie">InternetExplorer/LocalMachineZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence" id="internetexplorer-localmachinezoneallowuserdatapersistence">InternetExplorer/LocalMachineZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions" id="internetexplorer-localmachinezonejavapermissions">InternetExplorer/LocalMachineZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes" id="internetexplorer-localmachinezonenavigatewindowsandframes">InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources" id="internetexplorer-lockeddowninternetzoneallowaccesstodatasources">InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads" id="internetexplorer-lockeddowninternetzoneallowfontdownloads">InternetExplorer/LockedDownInternetZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites" id="internetexplorer-lockeddowninternetzoneallowlessprivilegedsites">InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets" id="internetexplorer-lockeddowninternetzoneallowscriptlets">InternetExplorer/LockedDownInternetZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie" id="internetexplorer-lockeddowninternetzoneallowsmartscreenie">InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence" id="internetexplorer-lockeddowninternetzoneallowuserdatapersistence">InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions" id="internetexplorer-lockeddowninternetzonejavapermissions">InternetExplorer/LockedDownInternetZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes">InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources">InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads" id="internetexplorer-lockeddownintranetzoneallowfontdownloads">InternetExplorer/LockedDownIntranetZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites" id="internetexplorer-lockeddownintranetzoneallowlessprivilegedsites">InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets" id="internetexplorer-lockeddownintranetzoneallowscriptlets">InternetExplorer/LockedDownIntranetZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie" id="internetexplorer-lockeddownintranetzoneallowsmartscreenie">InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence" id="internetexplorer-lockeddownintranetzoneallowuserdatapersistence">InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes" id="internetexplorer-lockeddownintranetzonenavigatewindowsandframes">InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources" id="internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources">InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads" id="internetexplorer-lockeddownlocalmachinezoneallowfontdownloads">InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites" id="internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites">InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets" id="internetexplorer-lockeddownlocalmachinezoneallowscriptlets">InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie" id="internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie">InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence" id="internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence">InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions" id="internetexplorer-lockeddownlocalmachinezonejavapermissions">InternetExplorer/LockedDownLocalMachineZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes">InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources" id="internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads" id="internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites" id="internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets" id="internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets">InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie" id="internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence" id="internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions" id="internetexplorer-lockeddownrestrictedsiteszonejavapermissions">InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources" id="internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads" id="internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites" id="internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets" id="internetexplorer-lockeddowntrustedsiteszoneallowscriptlets">InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie" id="internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence" id="internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions" id="internetexplorer-lockeddowntrustedsiteszonejavapermissions">InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses" id="internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses">InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses" id="internetexplorer-notificationbarinternetexplorerprocesses">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter" id="internetexplorer-preventmanagingsmartscreenfilter">InternetExplorer/PreventManagingSmartScreenFilter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols" id="internetexplorer-preventperuserinstallationofactivexcontrols">InternetExplorer/PreventPerUserInstallationOfActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses" id="internetexplorer-protectionfromzoneelevationinternetexplorerprocesses">InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols" id="internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses" id="internetexplorer-restrictfiledownloadinternetexplorerprocesses">InternetExplorer/RestrictFileDownloadInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources">InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting" id="internetexplorer-restrictedsiteszoneallowactivescripting">InternetExplorer/RestrictedSitesZoneAllowActiveScripting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors" id="internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors">InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript" id="internetexplorer-restrictedsiteszoneallowcopypasteviascript">InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles" id="internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles">InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads" id="internetexplorer-restrictedsiteszoneallowfiledownloads">InternetExplorer/RestrictedSitesZoneAllowFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads" id="internetexplorer-restrictedsiteszoneallowfontdownloads">InternetExplorer/RestrictedSitesZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites">InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles" id="internetexplorer-restrictedsiteszoneallowloadingofxamlfiles">InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh" id="internetexplorer-restrictedsiteszoneallowmetarefresh">InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows" id="internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows">InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets" id="internetexplorer-restrictedsiteszoneallowscriptlets">InternetExplorer/RestrictedSitesZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie" id="internetexplorer-restrictedsiteszoneallowsmartscreenie">InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript" id="internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript">InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence">InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing" id="internetexplorer-restrictedsiteszoneenablemimesniffing">InternetExplorer/RestrictedSitesZoneEnableMIMESniffing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions" id="internetexplorer-restrictedsiteszonejavapermissions">InternetExplorer/RestrictedSitesZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe" id="internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe">InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions" id="internetexplorer-restrictedsiteszonelogonoptions">InternetExplorer/RestrictedSitesZoneLogonOptions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting" id="internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting">InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets" id="internetexplorer-restrictedsiteszonescriptingofjavaapplets">InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode" id="internetexplorer-restrictedsiteszoneturnonprotectedmode">InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker" id="internetexplorer-restrictedsiteszoneusepopupblocker">InternetExplorer/RestrictedSitesZoneUsePopupBlocker</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses" id="internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses">InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist" id="internetexplorer-searchproviderlist">InternetExplorer/SearchProviderList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings" id="internetexplorer-securityzonesuseonlymachinesettings">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice" id="internetexplorer-specifyuseofactivexinstallerservice">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources" id="internetexplorer-trustedsiteszoneallowaccesstodatasources">InternetExplorer/TrustedSitesZoneAllowAccessToDataSources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads" id="internetexplorer-trustedsiteszoneallowfontdownloads">InternetExplorer/TrustedSitesZoneAllowFontDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites" id="internetexplorer-trustedsiteszoneallowlessprivilegedsites">InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets" id="internetexplorer-trustedsiteszoneallowscriptlets">InternetExplorer/TrustedSitesZoneAllowScriptlets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie" id="internetexplorer-trustedsiteszoneallowsmartscreenie">InternetExplorer/TrustedSitesZoneAllowSmartScreenIE</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence" id="internetexplorer-trustedsiteszoneallowuserdatapersistence">InternetExplorer/TrustedSitesZoneAllowUserDataPersistence</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions" id="internetexplorer-trustedsiteszonejavapermissions">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes" id="internetexplorer-trustedsiteszonenavigatewindowsandframes">InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames</a>
+  </dd>
+</dl>
+
+### Kerberos policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-kerberos.md#kerberos-allowforestsearchorder" id="kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor" id="kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-kerberos.md#kerberos-requirekerberosarmoring" id="kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation" id="kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
+  </dd>
+</dl>
+
+### Licensing policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation" id="licensing-allowwindowsentitlementreactivation">Licensing/AllowWindowsEntitlementReactivation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation" id="licensing-disallowkmsclientonlineavsvalidation">Licensing/DisallowKMSClientOnlineAVSValidation</a>
+  </dd>
+</dl>
+
+### LocalPoliciesSecurityOptions policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts_blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts_enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus 	</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_enableguestaccountstatus" id="localpoliciessecurityoptions-accounts_enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
+  </dd><dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_renameadministratoraccount" id="localpoliciessecurityoptions-accounts_renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts_renameguestaccount" id="localpoliciessecurityoptions-accounts_renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin">LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel">LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon_machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
+  </dd>
+  <dd>
+     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
+  </dd>
+</dl>
+
+### Location policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-location.md#location-enablelocation" id="location-enablelocation">Location/EnableLocation</a>
+  </dd>
+</dl>
+
+### LockDown policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-lockdown.md#lockdown-allowedgeswipe" id="lockdown-allowedgeswipe">LockDown/AllowEdgeSwipe</a>
+  </dd>
+</dl>
+
+### Maps policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-maps.md#maps-allowofflinemapsdownloadovermeteredconnection" id="maps-allowofflinemapsdownloadovermeteredconnection">Maps/AllowOfflineMapsDownloadOverMeteredConnection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-maps.md#maps-enableofflinemapsautoupdate" id="maps-enableofflinemapsautoupdate">Maps/EnableOfflineMapsAutoUpdate</a>
+  </dd>
+</dl>
+
+### Messaging policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-messaging.md#messaging-allowmms" id="messaging-allowmms">Messaging/AllowMMS</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-messaging.md#messaging-allowmessagesync" id="messaging-allowmessagesync">Messaging/AllowMessageSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-messaging.md#messaging-allowrcs" id="messaging-allowrcs">Messaging/AllowRCS</a>
+  </dd>
+</dl>
+
+### NetworkIsolation policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources" id="networkisolation-enterprisecloudresources">NetworkIsolation/EnterpriseCloudResources</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseiprange" id="networkisolation-enterpriseiprange">NetworkIsolation/EnterpriseIPRange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative" id="networkisolation-enterpriseiprangesareauthoritative">NetworkIsolation/EnterpriseIPRangesAreAuthoritative</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers" id="networkisolation-enterpriseinternalproxyservers">NetworkIsolation/EnterpriseInternalProxyServers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterprisenetworkdomainnames" id="networkisolation-enterprisenetworkdomainnames">NetworkIsolation/EnterpriseNetworkDomainNames</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers" id="networkisolation-enterpriseproxyservers">NetworkIsolation/EnterpriseProxyServers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative" id="networkisolation-enterpriseproxyserversareauthoritative">NetworkIsolation/EnterpriseProxyServersAreAuthoritative</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-networkisolation.md#networkisolation-neutralresources" id="networkisolation-neutralresources">NetworkIsolation/NeutralResources</a>
+  </dd>
+</dl>
+
+### Notifications policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-notifications.md#notifications-disallownotificationmirroring" id="notifications-disallownotificationmirroring">Notifications/DisallowNotificationMirroring</a>
+  </dd>
+</dl>
+
+### Power policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-power.md#power-allowstandbywhensleepingpluggedin" id="power-allowstandbywhensleepingpluggedin">Power/AllowStandbyWhenSleepingPluggedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-displayofftimeoutonbattery" id="power-displayofftimeoutonbattery">Power/DisplayOffTimeoutOnBattery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-displayofftimeoutpluggedin" id="power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-hibernatetimeoutonbattery" id="power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-hibernatetimeoutpluggedin" id="power-hibernatetimeoutpluggedin">Power/HibernateTimeoutPluggedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery" id="power-requirepasswordwhencomputerwakesonbattery">Power/RequirePasswordWhenComputerWakesOnBattery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin" id="power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-standbytimeoutonbattery" id="power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-power.md#power-standbytimeoutpluggedin" id="power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
+  </dd>
+</dl>
+
+### Printers policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions-user" id="printers-pointandprintrestrictions-user">Printers/PointAndPrintRestrictions_User</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
+  </dd>
+</dl>
+
+### Privacy policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-allowautoacceptpairingandprivacyconsentprompts" id="privacy-allowautoacceptpairingandprivacyconsentprompts">Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-allowinputpersonalization" id="privacy-allowinputpersonalization">Privacy/AllowInputPersonalization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-disableadvertisingid" id="privacy-disableadvertisingid">Privacy/DisableAdvertisingId</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo" id="privacy-letappsaccessaccountinfo">Privacy/LetAppsAccessAccountInfo</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps" id="privacy-letappsaccessaccountinfo-forceallowtheseapps">Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps" id="privacy-letappsaccessaccountinfo-forcedenytheseapps">Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps" id="privacy-letappsaccessaccountinfo-userincontroloftheseapps">Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar" id="privacy-letappsaccesscalendar">Privacy/LetAppsAccessCalendar</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps" id="privacy-letappsaccesscalendar-forceallowtheseapps">Privacy/LetAppsAccessCalendar_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps" id="privacy-letappsaccesscalendar-forcedenytheseapps">Privacy/LetAppsAccessCalendar_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps" id="privacy-letappsaccesscalendar-userincontroloftheseapps">Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory" id="privacy-letappsaccesscallhistory">Privacy/LetAppsAccessCallHistory</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps" id="privacy-letappsaccesscallhistory-forceallowtheseapps">Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps" id="privacy-letappsaccesscallhistory-forcedenytheseapps">Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps" id="privacy-letappsaccesscallhistory-userincontroloftheseapps">Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera" id="privacy-letappsaccesscamera">Privacy/LetAppsAccessCamera</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps" id="privacy-letappsaccesscamera-forceallowtheseapps">Privacy/LetAppsAccessCamera_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps" id="privacy-letappsaccesscamera-forcedenytheseapps">Privacy/LetAppsAccessCamera_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps" id="privacy-letappsaccesscamera-userincontroloftheseapps">Privacy/LetAppsAccessCamera_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts" id="privacy-letappsaccesscontacts">Privacy/LetAppsAccessContacts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps" id="privacy-letappsaccesscontacts-forceallowtheseapps">Privacy/LetAppsAccessContacts_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps" id="privacy-letappsaccesscontacts-forcedenytheseapps">Privacy/LetAppsAccessContacts_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps" id="privacy-letappsaccesscontacts-userincontroloftheseapps">Privacy/LetAppsAccessContacts_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail" id="privacy-letappsaccessemail">Privacy/LetAppsAccessEmail</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps" id="privacy-letappsaccessemail-forceallowtheseapps">Privacy/LetAppsAccessEmail_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps" id="privacy-letappsaccessemail-forcedenytheseapps">Privacy/LetAppsAccessEmail_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps" id="privacy-letappsaccessemail-userincontroloftheseapps">Privacy/LetAppsAccessEmail_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation" id="privacy-letappsaccesslocation">Privacy/LetAppsAccessLocation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps" id="privacy-letappsaccesslocation-forceallowtheseapps">Privacy/LetAppsAccessLocation_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps" id="privacy-letappsaccesslocation-forcedenytheseapps">Privacy/LetAppsAccessLocation_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps" id="privacy-letappsaccesslocation-userincontroloftheseapps">Privacy/LetAppsAccessLocation_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging" id="privacy-letappsaccessmessaging">Privacy/LetAppsAccessMessaging</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps" id="privacy-letappsaccessmessaging-forceallowtheseapps">Privacy/LetAppsAccessMessaging_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps" id="privacy-letappsaccessmessaging-forcedenytheseapps">Privacy/LetAppsAccessMessaging_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps" id="privacy-letappsaccessmessaging-userincontroloftheseapps">Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone" id="privacy-letappsaccessmicrophone">Privacy/LetAppsAccessMicrophone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps" id="privacy-letappsaccessmicrophone-forceallowtheseapps">Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps" id="privacy-letappsaccessmicrophone-forcedenytheseapps">Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps" id="privacy-letappsaccessmicrophone-userincontroloftheseapps">Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion" id="privacy-letappsaccessmotion">Privacy/LetAppsAccessMotion</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps" id="privacy-letappsaccessmotion-forceallowtheseapps">Privacy/LetAppsAccessMotion_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps" id="privacy-letappsaccessmotion-forcedenytheseapps">Privacy/LetAppsAccessMotion_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps" id="privacy-letappsaccessmotion-userincontroloftheseapps">Privacy/LetAppsAccessMotion_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications" id="privacy-letappsaccessnotifications">Privacy/LetAppsAccessNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps" id="privacy-letappsaccessnotifications-forceallowtheseapps">Privacy/LetAppsAccessNotifications_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps" id="privacy-letappsaccessnotifications-forcedenytheseapps">Privacy/LetAppsAccessNotifications_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps" id="privacy-letappsaccessnotifications-userincontroloftheseapps">Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone" id="privacy-letappsaccessphone">Privacy/LetAppsAccessPhone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps" id="privacy-letappsaccessphone-forceallowtheseapps">Privacy/LetAppsAccessPhone_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps" id="privacy-letappsaccessphone-forcedenytheseapps">Privacy/LetAppsAccessPhone_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps" id="privacy-letappsaccessphone-userincontroloftheseapps">Privacy/LetAppsAccessPhone_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios" id="privacy-letappsaccessradios">Privacy/LetAppsAccessRadios</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps" id="privacy-letappsaccessradios-forceallowtheseapps">Privacy/LetAppsAccessRadios_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps" id="privacy-letappsaccessradios-forcedenytheseapps">Privacy/LetAppsAccessRadios_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps" id="privacy-letappsaccessradios-userincontroloftheseapps">Privacy/LetAppsAccessRadios_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks" id="privacy-letappsaccesstasks">Privacy/LetAppsAccessTasks</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps" id="privacy-letappsaccesstasks-forceallowtheseapps">Privacy/LetAppsAccessTasks_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps" id="privacy-letappsaccesstasks-forcedenytheseapps">Privacy/LetAppsAccessTasks_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps" id="privacy-letappsaccesstasks-userincontroloftheseapps">Privacy/LetAppsAccessTasks_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices" id="privacy-letappsaccesstrusteddevices">Privacy/LetAppsAccessTrustedDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps" id="privacy-letappsaccesstrusteddevices-forceallowtheseapps">Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps" id="privacy-letappsaccesstrusteddevices-forcedenytheseapps">Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps" id="privacy-letappsaccesstrusteddevices-userincontroloftheseapps">Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo" id="privacy-letappsgetdiagnosticinfo">Privacy/LetAppsGetDiagnosticInfo</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps" id="privacy-letappsgetdiagnosticinfo-forceallowtheseapps">Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps" id="privacy-letappsgetdiagnosticinfo-forcedenytheseapps">Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps" id="privacy-letappsgetdiagnosticinfo-userincontroloftheseapps">Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground" id="privacy-letappsruninbackground">Privacy/LetAppsRunInBackground</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps" id="privacy-letappsruninbackground-forceallowtheseapps">Privacy/LetAppsRunInBackground_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps" id="privacy-letappsruninbackground-forcedenytheseapps">Privacy/LetAppsRunInBackground_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps" id="privacy-letappsruninbackground-userincontroloftheseapps">Privacy/LetAppsRunInBackground_UserInControlOfTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices" id="privacy-letappssyncwithdevices">Privacy/LetAppsSyncWithDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps" id="privacy-letappssyncwithdevices-forceallowtheseapps">Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps" id="privacy-letappssyncwithdevices-forcedenytheseapps">Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps" id="privacy-letappssyncwithdevices-userincontroloftheseapps">Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps</a>
+  </dd>
+</dl>
+
+### RemoteAssistance policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages" id="remoteassistance-customizewarningmessages">RemoteAssistance/CustomizeWarningMessages</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteassistance.md#remoteassistance-sessionlogging" id="remoteassistance-sessionlogging">RemoteAssistance/SessionLogging</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance" id="remoteassistance-solicitedremoteassistance">RemoteAssistance/SolicitedRemoteAssistance</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance" id="remoteassistance-unsolicitedremoteassistance">RemoteAssistance/UnsolicitedRemoteAssistance</a>
+  </dd>
+</dl>
+
+### RemoteDesktopServices policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely" id="remotedesktopservices-allowuserstoconnectremotely">RemoteDesktopServices/AllowUsersToConnectRemotely</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel" id="remotedesktopservices-clientconnectionencryptionlevel">RemoteDesktopServices/ClientConnectionEncryptionLevel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection" id="remotedesktopservices-donotallowdriveredirection">RemoteDesktopServices/DoNotAllowDriveRedirection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving" id="remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection" id="remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication" id="remotedesktopservices-requiresecurerpccommunication">RemoteDesktopServices/RequireSecureRPCCommunication</a>
+  </dd>
+</dl>
+
+### RemoteManagement policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client" id="remotemanagement-allowbasicauthentication-client">RemoteManagement/AllowBasicAuthentication_Client</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service" id="remotemanagement-allowbasicauthentication-service">RemoteManagement/AllowBasicAuthentication_Service</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient" id="remotemanagement-allowcredsspauthenticationclient">RemoteManagement/AllowCredSSPAuthenticationClient</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice" id="remotemanagement-allowcredsspauthenticationservice">RemoteManagement/AllowCredSSPAuthenticationService</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement" id="remotemanagement-allowremoteservermanagement">RemoteManagement/AllowRemoteServerManagement</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client" id="remotemanagement-allowunencryptedtraffic-client">RemoteManagement/AllowUnencryptedTraffic_Client</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service" id="remotemanagement-allowunencryptedtraffic-service">RemoteManagement/AllowUnencryptedTraffic_Service</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication" id="remotemanagement-disallowdigestauthentication">RemoteManagement/DisallowDigestAuthentication</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient" id="remotemanagement-disallownegotiateauthenticationclient">RemoteManagement/DisallowNegotiateAuthenticationClient</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice" id="remotemanagement-disallownegotiateauthenticationservice">RemoteManagement/DisallowNegotiateAuthenticationService</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials" id="remotemanagement-disallowstoringofrunascredentials">RemoteManagement/DisallowStoringOfRunAsCredentials</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel" id="remotemanagement-specifychannelbindingtokenhardeninglevel">RemoteManagement/SpecifyChannelBindingTokenHardeningLevel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-trustedhosts" id="remotemanagement-trustedhosts">RemoteManagement/TrustedHosts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener" id="remotemanagement-turnoncompatibilityhttplistener">RemoteManagement/TurnOnCompatibilityHTTPListener</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener" id="remotemanagement-turnoncompatibilityhttpslistener">RemoteManagement/TurnOnCompatibilityHTTPSListener</a>
+  </dd>
+</dl>
+
+### RemoteProcedureCall policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication" id="remoteprocedurecall-rpcendpointmapperclientauthentication">RemoteProcedureCall/RPCEndpointMapperClientAuthentication</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients" id="remoteprocedurecall-restrictunauthenticatedrpcclients">RemoteProcedureCall/RestrictUnauthenticatedRPCClients</a>
+  </dd>
+</dl>
+
+### RemoteShell policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess" id="remoteshell-allowremoteshellaccess">RemoteShell/AllowRemoteShellAccess</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers" id="remoteshell-maxconcurrentusers">RemoteShell/MaxConcurrentUsers</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifyidletimeout" id="remoteshell-specifyidletimeout">RemoteShell/SpecifyIdleTimeout</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxmemory" id="remoteshell-specifymaxmemory">RemoteShell/SpecifyMaxMemory</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses" id="remoteshell-specifymaxprocesses">RemoteShell/SpecifyMaxProcesses</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells" id="remoteshell-specifymaxremoteshells">RemoteShell/SpecifyMaxRemoteShells</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout" id="remoteshell-specifyshelltimeout">RemoteShell/SpecifyShellTimeout</a>
+  </dd>
+</dl>
+
+### Search policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-search.md#search-allowindexingencryptedstoresoritems" id="search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-allowsearchtouselocation" id="search-allowsearchtouselocation">Search/AllowSearchToUseLocation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-allowusingdiacritics" id="search-allowusingdiacritics">Search/AllowUsingDiacritics</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-alwaysuseautolangdetection" id="search-alwaysuseautolangdetection">Search/AlwaysUseAutoLangDetection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-disablebackoff" id="search-disablebackoff">Search/DisableBackoff</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-preventindexinglowdiskspacemb" id="search-preventindexinglowdiskspacemb">Search/PreventIndexingLowDiskSpaceMB</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-preventremotequeries" id="search-preventremotequeries">Search/PreventRemoteQueries</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-search.md#search-safesearchpermissions" id="search-safesearchpermissions">Search/SafeSearchPermissions</a>
+  </dd>
+</dl>
+
+### Security policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-security.md#security-allowaddprovisioningpackage" id="security-allowaddprovisioningpackage">Security/AllowAddProvisioningPackage</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-allowautomaticdeviceencryptionforazureadjoineddevices" id="security-allowautomaticdeviceencryptionforazureadjoineddevices">Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-allowmanualrootcertificateinstallation" id="security-allowmanualrootcertificateinstallation">Security/AllowManualRootCertificateInstallation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-allowremoveprovisioningpackage" id="security-allowremoveprovisioningpackage">Security/AllowRemoveProvisioningPackage</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-antitheftmode" id="security-antitheftmode">Security/AntiTheftMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-cleartpmifnotready" id="security-cleartpmifnotready">Security/ClearTPMIfNotReady</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-requiredeviceencryption" id="security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-requireprovisioningpackagesignature" id="security-requireprovisioningpackagesignature">Security/RequireProvisioningPackageSignature</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-security.md#security-requireretrievehealthcertificateonboot" id="security-requireretrievehealthcertificateonboot">Security/RequireRetrieveHealthCertificateOnBoot</a>
+  </dd>
+</dl>
+
+### Settings policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowautoplay" id="settings-allowautoplay">Settings/AllowAutoPlay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowdatasense" id="settings-allowdatasense">Settings/AllowDataSense</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowdatetime" id="settings-allowdatetime">Settings/AllowDateTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-alloweditdevicename" id="settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowlanguage" id="settings-allowlanguage">Settings/AllowLanguage</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowpowersleep" id="settings-allowpowersleep">Settings/AllowPowerSleep</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowregion" id="settings-allowregion">Settings/AllowRegion</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowsigninoptions" id="settings-allowsigninoptions">Settings/AllowSignInOptions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowvpn" id="settings-allowvpn">Settings/AllowVPN</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowworkplace" id="settings-allowworkplace">Settings/AllowWorkplace</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-allowyouraccount" id="settings-allowyouraccount">Settings/AllowYourAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-configuretaskbarcalendar" id="settings-configuretaskbarcalendar">Settings/ConfigureTaskbarCalendar</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-settings.md#settings-pagevisibilitylist" id="settings-pagevisibilitylist">Settings/PageVisibilityList</a>
+  </dd>
+</dl>
+
+### SmartScreen policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol" id="smartscreen-enableappinstallcontrol">SmartScreen/EnableAppInstallControl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell" id="smartscreen-enablesmartscreeninshell">SmartScreen/EnableSmartScreenInShell</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell" id="smartscreen-preventoverrideforfilesinshell">SmartScreen/PreventOverrideForFilesInShell</a>
+  </dd>
+</dl>
+
+### Speech policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-speech.md#speech-allowspeechmodelupdate" id="speech-allowspeechmodelupdate">Speech/AllowSpeechModelUpdate</a>
+  </dd>
+</dl>
+
+### Start policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderdocuments" id="start-allowpinnedfolderdocuments">Start/AllowPinnedFolderDocuments</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderdownloads" id="start-allowpinnedfolderdownloads">Start/AllowPinnedFolderDownloads</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderfileexplorer" id="start-allowpinnedfolderfileexplorer">Start/AllowPinnedFolderFileExplorer</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderhomegroup" id="start-allowpinnedfolderhomegroup">Start/AllowPinnedFolderHomeGroup</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfoldermusic" id="start-allowpinnedfoldermusic">Start/AllowPinnedFolderMusic</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfoldernetwork" id="start-allowpinnedfoldernetwork">Start/AllowPinnedFolderNetwork</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderpersonalfolder" id="start-allowpinnedfolderpersonalfolder">Start/AllowPinnedFolderPersonalFolder</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfolderpictures" id="start-allowpinnedfolderpictures">Start/AllowPinnedFolderPictures</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfoldersettings" id="start-allowpinnedfoldersettings">Start/AllowPinnedFolderSettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-allowpinnedfoldervideos" id="start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-forcestartsize" id="start-forcestartsize">Start/ForceStartSize</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hideapplist" id="start-hideapplist">Start/HideAppList</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidechangeaccountsettings" id="start-hidechangeaccountsettings">Start/HideChangeAccountSettings</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidefrequentlyusedapps" id="start-hidefrequentlyusedapps">Start/HideFrequentlyUsedApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidehibernate" id="start-hidehibernate">Start/HideHibernate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidelock" id="start-hidelock">Start/HideLock</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidepowerbutton" id="start-hidepowerbutton">Start/HidePowerButton</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hiderecentjumplists" id="start-hiderecentjumplists">Start/HideRecentJumplists</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hiderecentlyaddedapps" id="start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hiderestart" id="start-hiderestart">Start/HideRestart</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hideshutdown" id="start-hideshutdown">Start/HideShutDown</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidesignout" id="start-hidesignout">Start/HideSignOut</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hidesleep" id="start-hidesleep">Start/HideSleep</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hideswitchaccount" id="start-hideswitchaccount">Start/HideSwitchAccount</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-hideusertile" id="start-hideusertile">Start/HideUserTile</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-importedgeassets" id="start-importedgeassets">Start/ImportEdgeAssets</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-nopinningtotaskbar" id="start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-start.md#start-startlayout" id="start-startlayout">Start/StartLayout</a>
+  </dd>
+</dl>
+
+### Storage policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-storage.md#storage-enhancedstoragedevices" id="storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
+  </dd>
+</dl>
+
+### System policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowbuildpreview" id="system-allowbuildpreview">System/AllowBuildPreview</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowembeddedmode" id="system-allowembeddedmode">System/AllowEmbeddedMode</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowexperimentation" id="system-allowexperimentation">System/AllowExperimentation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowfontproviders" id="system-allowfontproviders">System/AllowFontProviders</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowlocation" id="system-allowlocation">System/AllowLocation</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowstoragecard" id="system-allowstoragecard">System/AllowStorageCard</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowtelemetry" id="system-allowtelemetry">System/AllowTelemetry</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-allowusertoresetphone" id="system-allowusertoresetphone">System/AllowUserToResetPhone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-bootstartdriverinitialization" id="system-bootstartdriverinitialization">System/BootStartDriverInitialization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-disableonedrivefilesync" id="system-disableonedrivefilesync">System/DisableOneDriveFileSync</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-disablesystemrestore" id="system-disablesystemrestore">System/DisableSystemRestore</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
+  </dd>
+</dl>
+
+### TextInput policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowimelogging" id="textinput-allowimelogging">TextInput/AllowIMELogging</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowimenetworkaccess" id="textinput-allowimenetworkaccess">TextInput/AllowIMENetworkAccess</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowinputpanel" id="textinput-allowinputpanel">TextInput/AllowInputPanel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters" id="textinput-allowjapaneseimesurrogatepaircharacters">TextInput/AllowJapaneseIMESurrogatePairCharacters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowjapaneseivscharacters" id="textinput-allowjapaneseivscharacters">TextInput/AllowJapaneseIVSCharacters</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph" id="textinput-allowjapanesenonpublishingstandardglyph">TextInput/AllowJapaneseNonPublishingStandardGlyph</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowjapaneseuserdictionary" id="textinput-allowjapaneseuserdictionary">TextInput/AllowJapaneseUserDictionary</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowkeyboardtextsuggestions" id="textinput-allowkeyboardtextsuggestions">TextInput/AllowKeyboardTextSuggestions</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowkoreanextendedhanja" id="textinput-allowkoreanextendedhanja">TextInput/AllowKoreanExtendedHanja</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall" id="textinput-allowlanguagefeaturesuninstall">TextInput/AllowLanguageFeaturesUninstall</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208" id="textinput-excludejapaneseimeexceptjis0208">TextInput/ExcludeJapaneseIMEExceptJIS0208</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc" id="textinput-excludejapaneseimeexceptjis0208andeudc">TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis" id="textinput-excludejapaneseimeexceptshiftjis">TextInput/ExcludeJapaneseIMEExceptShiftJIS</a>
+  </dd>
+</dl>
+
+### TimeLanguageSettings policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-allowset24hourclock" id="timelanguagesettings-allowset24hourclock">TimeLanguageSettings/AllowSet24HourClock</a>
+  </dd>
+</dl>
+
+### Update policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-update.md#update-activehoursend" id="update-activehoursend">Update/ActiveHoursEnd</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-activehoursmaxrange" id="update-activehoursmaxrange">Update/ActiveHoursMaxRange</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-activehoursstart" id="update-activehoursstart">Update/ActiveHoursStart</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allownonmicrosoftsignedupdate" id="update-allownonmicrosoftsignedupdate">Update/AllowNonMicrosoftSignedUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-allowupdateservice" id="update-allowupdateservice">Update/AllowUpdateService</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-autorestartdeadlineperiodindays" id="update-autorestartdeadlineperiodindays">Update/AutoRestartDeadlinePeriodInDays</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-autorestartnotificationschedule" id="update-autorestartnotificationschedule">Update/AutoRestartNotificationSchedule</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-autorestartrequirednotificationdismissal" id="update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-branchreadinesslevel" id="update-branchreadinesslevel">Update/BranchReadinessLevel</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-deferfeatureupdatesperiodindays" id="update-deferfeatureupdatesperiodindays">Update/DeferFeatureUpdatesPeriodInDays</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-deferqualityupdatesperiodindays" id="update-deferqualityupdatesperiodindays">Update/DeferQualityUpdatesPeriodInDays</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-deferupdateperiod" id="update-deferupdateperiod">Update/DeferUpdatePeriod</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-deferupgradeperiod" id="update-deferupgradeperiod">Update/DeferUpgradePeriod</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-detectionfrequency" id="update-detectionfrequency">Update/DetectionFrequency</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-engagedrestartsnoozeschedule" id="update-engagedrestartsnoozeschedule">Update/EngagedRestartSnoozeSchedule</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-engagedrestarttransitionschedule" id="update-engagedrestarttransitionschedule">Update/EngagedRestartTransitionSchedule</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-excludewudriversinqualityupdate" id="update-excludewudriversinqualityupdate">Update/ExcludeWUDriversInQualityUpdate</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-fillemptycontenturls" id="update-fillemptycontenturls">Update/FillEmptyContentUrls</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-ignoremoappdownloadlimit" id="update-ignoremoappdownloadlimit">Update/IgnoreMOAppDownloadLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-ignoremoupdatedownloadlimit" id="update-ignoremoupdatedownloadlimit">Update/IgnoreMOUpdateDownloadLimit</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-pausedeferrals" id="update-pausedeferrals">Update/PauseDeferrals</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-pausefeatureupdates" id="update-pausefeatureupdates">Update/PauseFeatureUpdates</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-pausefeatureupdatesstarttime" id="update-pausefeatureupdatesstarttime">Update/PauseFeatureUpdatesStartTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-pausequalityupdates" id="update-pausequalityupdates">Update/PauseQualityUpdates</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-pausequalityupdatesstarttime" id="update-pausequalityupdatesstarttime">Update/PauseQualityUpdatesStartTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-requiredeferupgrade" id="update-requiredeferupgrade">Update/RequireDeferUpgrade</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-requireupdateapproval" id="update-requireupdateapproval">Update/RequireUpdateApproval</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduleimminentrestartwarning" id="update-scheduleimminentrestartwarning">Update/ScheduleImminentRestartWarning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-schedulerestartwarning" id="update-schedulerestartwarning">Update/ScheduleRestartWarning</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstallday" id="update-scheduledinstallday">Update/ScheduledInstallDay</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstalleveryweek" id="update-scheduledinstalleveryweek">Update/ScheduledInstallEveryWeek</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstallfirstweek" id="update-scheduledinstallfirstweek">Update/ScheduledInstallFirstWeek</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstallfourthweek" id="update-scheduledinstallfourthweek">Update/ScheduledInstallFourthWeek</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstallsecondweek" id="update-scheduledinstallsecondweek">Update/ScheduledInstallSecondWeek</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstallthirdweek" id="update-scheduledinstallthirdweek">Update/ScheduledInstallThirdWeek</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-scheduledinstalltime" id="update-scheduledinstalltime">Update/ScheduledInstallTime</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-setautorestartnotificationdisable" id="update-setautorestartnotificationdisable">Update/SetAutoRestartNotificationDisable</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-updateserviceurl" id="update-updateserviceurl">Update/UpdateServiceUrl</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-update.md#update-updateserviceurlalternate" id="update-updateserviceurlalternate">Update/UpdateServiceUrlAlternate</a>
+  </dd>
+</dl>
+
+### Wifi policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowwifihotspotreporting" id="wifi-allowwifihotspotreporting">WiFi/AllowWiFiHotSpotReporting</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots" id="wifi-allowautoconnecttowifisensehotspots">Wifi/AllowAutoConnectToWiFiSenseHotspots</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowinternetsharing" id="wifi-allowinternetsharing">Wifi/AllowInternetSharing</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowmanualwificonfiguration" id="wifi-allowmanualwificonfiguration">Wifi/AllowManualWiFiConfiguration</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowwifi" id="wifi-allowwifi">Wifi/AllowWiFi</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-allowwifidirect" id="wifi-allowwifidirect">Wifi/AllowWiFiDirect</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wifi.md#wifi-wlanscanmode" id="wifi-wlanscanmode">Wifi/WLANScanMode</a>
+  </dd>
+</dl>
+
+### WindowsDefenderSecurityCenter policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname" id="windowsdefendersecuritycenter-companyname">WindowsDefenderSecurityCenter/CompanyName</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui" id="windowsdefendersecuritycenter-disableappbrowserui">WindowsDefenderSecurityCenter/DisableAppBrowserUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications" id="windowsdefendersecuritycenter-disableenhancednotifications">WindowsDefenderSecurityCenter/DisableEnhancedNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui" id="windowsdefendersecuritycenter-disablefamilyui">WindowsDefenderSecurityCenter/DisableFamilyUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui" id="windowsdefendersecuritycenter-disablehealthui">WindowsDefenderSecurityCenter/DisableHealthUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui" id="windowsdefendersecuritycenter-disablenetworkui">WindowsDefenderSecurityCenter/DisableNetworkUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications" id="windowsdefendersecuritycenter-disablenotifications">WindowsDefenderSecurityCenter/DisableNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui" id="windowsdefendersecuritycenter-disablevirusui">WindowsDefenderSecurityCenter/DisableVirusUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride" id="windowsdefendersecuritycenter-disallowexploitprotectionoverride">WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email" id="windowsdefendersecuritycenter-email">WindowsDefenderSecurityCenter/Email</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts" id="windowsdefendersecuritycenter-enablecustomizedtoasts">WindowsDefenderSecurityCenter/EnableCustomizedToasts</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization" id="windowsdefendersecuritycenter-enableinappcustomization">WindowsDefenderSecurityCenter/EnableInAppCustomization</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone" id="windowsdefendersecuritycenter-phone">WindowsDefenderSecurityCenter/Phone</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url" id="windowsdefendersecuritycenter-url">WindowsDefenderSecurityCenter/URL</a>
+  </dd>
+</dl>
+
+### WindowsInkWorkspace policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace">WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace" id="windowsinkworkspace-allowwindowsinkworkspace">WindowsInkWorkspace/AllowWindowsInkWorkspace</a>
+  </dd>
+</dl>
+
+### WindowsLogon policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications" id="windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui" id="windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching" id="windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
+  </dd>
+</dl>
+
+### WirelessDisplay policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc" id="wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure">WirelessDisplay/AllowProjectionFromPCOverInfrastructure</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc" id="wirelessdisplay-allowprojectiontopc">WirelessDisplay/AllowProjectionToPC</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure" id="wirelessdisplay-allowprojectiontopcoverinfrastructure">WirelessDisplay/AllowProjectionToPCOverInfrastructure</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver">WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing" id="wirelessdisplay-requirepinforpairing">WirelessDisplay/RequirePinForPairing</a>
+  </dd>
+</dl>
+
+
+## ADMX-backed policies
+
+-   [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+-   [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+-   [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+-   [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+-   [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+-   [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+-   [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+-   [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+-   [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+-   [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+-   [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+-   [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+-   [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+-   [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+-   [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+-   [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+-   [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+-   [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+-   [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
+-   [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+-   [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+-   [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+-   [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+-   [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+-   [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+-   [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+-   [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+-   [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+-   [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+-   [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+-   [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+-   [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+-   [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+-   [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+-   [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+-   [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
+-   [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
+-   [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
+-   [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+-   [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+-   [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+-   [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+-   [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g)
+-   [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+-   [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+-   [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+-   [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+-   [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+-   [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+-   [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+-   [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+-   [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+-   [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+-   [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+-   [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+-   [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+-   [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+-   [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+-   [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+-   [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+-   [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
+-   [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
+-   [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
+-   [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+-   [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+-   [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+-   [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
+-   [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+-   [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+-   [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+-   [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+-   [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+-   [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+-   [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+-   [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+-   [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+-   [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+-   [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+-   [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
+-   [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+-   [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+-   [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+-   [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+-   [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
+-   [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
+-   [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
+-   [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+-   [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-disableblockingofoutdatedactivexcontrols)
+-   [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+-   [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+-   [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
+-   [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
+-   [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+-   [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
+-   [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+-   [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+-   [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+-   [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+-   [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+-   [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
+-   [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
+-   [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
+-   [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+-   [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+-   [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+-   [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
+-   [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+-   [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
+-   [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+-   [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+-   [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+-   [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+-   [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+-   [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+-   [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+-   [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
+-   [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
+-   [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+-   [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+-   [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
+-   [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
+-   [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
+-   [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
+-   [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
+-   [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+-   [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+-   [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
+-   [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+-   [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
+-   [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
+-   [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
+-   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+-   [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+-   [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
+-   [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
+-   [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
+-   [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
+-   [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
+-   [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
+-   [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+-   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode)
+-   [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
+-   [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
+-   [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
+-   [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone)
+-   [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+-   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+-   [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+-   [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+-   [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+-   [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+-   [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+-   [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
+-   [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+-   [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+-   [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+-   [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+-   [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+-   [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+-   [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+-   [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
+-   [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+-   [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+-   [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+-   [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+-   [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+-   [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+-   [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+-   [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
+-   [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+-   [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+-   [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+-   [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+-   [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+-   [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+-   [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+-   [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+-   [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+-   [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
+-   [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
+-   [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+-   [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+-   [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
+-   [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+-   [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
+-   [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
+-   [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
+-   [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
+-   [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
+-   [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
+-   [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
+-   [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
+-   [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
+-   [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+-   [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
+-   [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
+-   [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
+-   [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
+-   [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
+-   [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
+-   [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+-   [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
+-   [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
+-   [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
+-   [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
+-   [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
+-   [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+-   [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+-   [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
+-   [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+-   [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
+-   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
+-   [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
+-   [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
+-   [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
+-   [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
+-   [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
+-   [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
+-   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+-   [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains)
+-   [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
+-   [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
+-   [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
+-   [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
+-   [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
+-   [InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter)
+-   [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
+-   [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
+-   [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
+-   [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+-   [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
+-   [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
+-   [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+-   [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+-   [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+-   [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+-   [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+-   [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+-   [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+-   [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+-   [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+-   [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
+-   [InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols)
+-   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+-   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe)
+-   [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe)
+-   [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
+-   [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+-   [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+-   [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+-   [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+-   [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+-   [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+-   [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+-   [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+-   [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+-   [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+-   [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+-   [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+-   [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+-   [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+-   [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+-   [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+-   [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
+-   [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+-   [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+-   [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+-   [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+-   [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+-   [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+-   [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+-   [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+-   [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+-   [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+-   [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+-   [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
+-   [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
+-   [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
+-   [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
+-   [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
+-   [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
+-   [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
+-   [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
+-   [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
+-   [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
+-   [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
+-   [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
+-   [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
+-   [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
+-   [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
+-   [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+-   [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+-   [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
+-   [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
+-   [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
+-   [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
+-   [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
+-   [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
+-   [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
+-   [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+-   [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+-   [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+-   [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+-   [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
 
 <!--StartIoTCore-->
-## <a href="" id="iotcore"></a>Policies Supported by IoT Core  
+## <a href="" id="iotcore"></a>Policies supported by IoT Core  
 
 -   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
 -   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
@@ -21234,12 +3305,20 @@ Footnote:
 -   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
 -   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
 -   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowNFC](#connectivity-allownfc)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
 -   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
 -   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
+-   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
+-   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
+-   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
+-   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
 -   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
@@ -21272,27 +3351,27 @@ Footnote:
 <!--EndIoTCore-->
 
 <!--StartHoloLens-->
-## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business
+## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business  
 
--   [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
--   [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
--   [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
--   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
--   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
--   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
--   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
--   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
--   [Browser/AllowCookies](#browser-allowcookies)
--   [Browser/AllowDoNotTrack](#browser-allowdonottrack)
--   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
--   [Browser/AllowPopups](#browser-allowpopups)
--   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
--   [Browser/AllowSmartScreen](#browser-allowsmartscreen)
--   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
--   [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
--   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
--   [Experience/AllowCortana](#experience-allowcortana)
--   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+-   [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)  
+-   [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)  
+-   [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)  
+-   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
+-   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
+-   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)  
+-   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)  
+-   [Experience/AllowCortana](#experience-allowcortana)  
+-   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
@@ -21302,93 +3381,95 @@ Footnote:
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+-   [Settings/AllowDateTime](#settings-allowdatetime)  
+-   [Settings/AllowVPN](#settings-allowvpn)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
--   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
--   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
--   [Settings/AllowDateTime](#settings-allowdatetime)
--   [Settings/AllowVPN](#settings-allowvpn)
--   [System/AllowLocation](#system-allowlocation)
--   [System/AllowTelemetry](#system-allowtelemetry)
--   [Update/AllowAutoUpdate](#update-allowautoupdate)
--   [Update/AllowUpdateService](#update-allowupdateservice)
--   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
--   [Update/RequireUpdateApproval](#update-requireupdateapproval)
--   [Update/UpdateServiceUrl](#update-updateserviceurl)
+-   [System/AllowLocation](#system-allowlocation)  
+-   [System/AllowTelemetry](#system-allowtelemetry)  
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
+-   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
+-   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 <!--EndHoloLens-->
 
 <!--StartSurfaceHub-->
-## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub
+## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub  
 
 -   [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)  
--   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
--   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
--   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
--   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
--   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+-   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
 -   [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)  
--   [Browser/AllowCookies](#browser-allowcookies)
--   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
--   [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
 -   [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)  
--   [Browser/AllowPopups](#browser-allowpopups)
--   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
--   [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
 -   [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)  
 -   [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)  
 -   [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)  
--   [Browser/HomePages](#browser-homepages)
+-   [Browser/HomePages](#browser-homepages)  
 -   [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)  
--   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
--   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+-   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)  
+-   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)  
 -   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
--   [Camera/AllowCamera](#camera-allowcamera)
+-   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
 -   [ConfigOperations/ADMXInstall](#configoperations-admxinstall)  
--   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
--   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
--   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
--   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
--   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
--   [Defender/AllowCloudProtection](#defender-allowcloudprotection)
--   [Defender/AllowEmailScanning](#defender-allowemailscanning)
--   [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
--   [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
--   [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
--   [Defender/AllowIOAVProtection](#defender-allowioavprotection)
--   [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
--   [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
--   [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
--   [Defender/AllowScriptScanning](#defender-allowscriptscanning)
--   [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
--   [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
--   [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
--   [Defender/ExcludedExtensions](#defender-excludedextensions)
--   [Defender/ExcludedPaths](#defender-excludedpaths)
--   [Defender/ExcludedProcesses](#defender-excludedprocesses)
--   [Defender/PUAProtection](#defender-puaprotection)
--   [Defender/RealTimeScanDirection](#defender-realtimescandirection)
--   [Defender/ScanParameter](#defender-scanparameter)
--   [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
--   [Defender/ScheduleScanDay](#defender-schedulescanday)
--   [Defender/ScheduleScanTime](#defender-schedulescantime)
--   [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
--   [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
--   [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
--   [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
--   [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
--   [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
--   [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
--   [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
--   [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
--   [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
--   [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
--   [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
--   [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
--   [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
--   [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
--   [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
--   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
--   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+-   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)  
+-   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)  
+-   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)  
+-   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)  
+-   [Defender/AllowCloudProtection](#defender-allowcloudprotection)  
+-   [Defender/AllowEmailScanning](#defender-allowemailscanning)  
+-   [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)  
+-   [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)  
+-   [Defender/AllowIOAVProtection](#defender-allowioavprotection)  
+-   [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)  
+-   [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)  
+-   [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)  
+-   [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)  
+-   [Defender/AllowScriptScanning](#defender-allowscriptscanning)  
+-   [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)  
+-   [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)  
+-   [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)  
+-   [Defender/ExcludedExtensions](#defender-excludedextensions)  
+-   [Defender/ExcludedPaths](#defender-excludedpaths)  
+-   [Defender/ExcludedProcesses](#defender-excludedprocesses)  
+-   [Defender/PUAProtection](#defender-puaprotection)  
+-   [Defender/RealTimeScanDirection](#defender-realtimescandirection)  
+-   [Defender/ScanParameter](#defender-scanparameter)  
+-   [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)  
+-   [Defender/ScheduleScanDay](#defender-schedulescanday)  
+-   [Defender/ScheduleScanTime](#defender-schedulescantime)  
+-   [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)  
+-   [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)  
+-   [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)  
+-   [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)  
+-   [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)  
+-   [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)  
+-   [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)  
+-   [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)  
+-   [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)  
+-   [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)  
+-   [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)  
+-   [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)  
+-   [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)  
+-   [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)  
+-   [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)  
+-   [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)  
+-   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)  
+-   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
+-   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
 -   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
@@ -21398,40 +3479,41 @@ Footnote:
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
--   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
--   [System/AllowFontProviders](#system-allowfontproviders) 
--   [System/AllowLocation](#system-allowlocation)
--   [System/AllowTelemetry](#system-allowtelemetry)
--   [TextInput/AllowIMELogging](#textinput-allowimelogging)
--   [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
--   [TextInput/AllowInputPanel](#textinput-allowinputpanel)
--   [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
--   [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
--   [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
--   [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
--   [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
--   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
--   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
--   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+-   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
+-   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [System/AllowLocation](#system-allowlocation)  
+-   [System/AllowTelemetry](#system-allowtelemetry)  
+-   [TextInput/AllowIMELogging](#textinput-allowimelogging)  
+-   [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)  
+-   [TextInput/AllowInputPanel](#textinput-allowinputpanel)  
+-   [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)  
+-   [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)  
+-   [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)  
+-   [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)  
+-   [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)  
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)  
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)  
+-   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)  
 -   [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)  
 -   [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)  
 -   [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)  
--   [Update/AllowAutoUpdate](#update-allowautoupdate)
--   [Update/AllowUpdateService](#update-allowupdateservice)
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
 -   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
 -   [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)  
--   [Update/BranchReadinessLevel](#update-branchreadinesslevel)
--   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
--   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+-   [Update/BranchReadinessLevel](#update-branchreadinesslevel)  
+-   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)  
+-   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)  
 -   [Update/DetectionFrequency](#update-detectionfrequency)  
--   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
--   [Update/PauseQualityUpdates](#update-pausequalityupdates)
+-   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)  
+-   [Update/PauseQualityUpdates](#update-pausequalityupdates)  
 -   [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)  
 -   [Update/ScheduleRestartWarning](#update-schedulerestartwarning)  
 -   [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)  
--   [Update/UpdateServiceUrl](#update-updateserviceurl)
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
 -   [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)  
+-   [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)  
 <!--EndSurfaceHub-->
 
 <!--StartEAS-->
@@ -21439,6 +3521,7 @@ Footnote:
 
 -   [Browser/AllowBrowser](#browser-allowbrowser)  
 -   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
 -   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
 -   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
 -   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
@@ -21451,6 +3534,7 @@ Footnote:
 -   [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)  
 -   [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)  
 -   [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)  
+-   [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [System/AllowStorageCard](#system-allowstoragecard)  
@@ -21459,6 +3543,7 @@ Footnote:
 -   [Wifi/AllowWiFi](#wifi-allowwifi)  
 <!--EndEAS-->
 
+
 ## Examples
 
 Set the minimum password length to 4 characters.
@@ -21505,196 +3590,6 @@ Do not allow NFC.
 </SyncML>
 ```
 
-## <a href="" id="startlayout-examples"></a>Start/StartLayout Examples
-
-### <a href="" id="generating-a-layout-"></a>Generating a layout
-
-The easiest way to generate a layout is to set the Start layout on a PC, and then run the PowerShell cmdlet **Export-StartLayout**.
-
-` > Export-StartLayout -path c:\users\<`*you*`>\desktop\startlayout.xml`
-
-Sample layout generated using the cmdlet
-
-``` syntax
-<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
-  <DefaultLayoutOverride>
-    <StartLayoutCollection>
-      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
-        <start:Group Name="quick links" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="903d2b5e-807b-4c7a-8362-0fcc184f97f7" AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="ad99e7e3-3929-4e54-850c-0956e6dc6296" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="e86b4425-e28e-4e59-abeb-39316c1cd0eb" AppUserModelID="Microsoft.BingNews_8wekyb3d8bbwe!AppexNews"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="37fe8c50-8b37-41e2-9d8b-f8915ef2b89b" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
-        </start:Group>
-        <start:Group Name="LOB apps" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="10c72642-ef27-4890-8d3b-f5a4b10b2611" AppUserModelID="CmModernAppv.01_g4ype1skzj3jy!App"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="wpsh..tion_0000000000000000_ea68d408322b5ed8"/>
-          <start:Tile Size="2x2" Column="2" Row="2" TileID="68a2c085-a2a5-4849-a3e5-c5f8bd736b8f" AppUserModelID="Microsoft.CorporateAppCenter_8wekyb3d8bbwe!App"/>
-        </start:Group>
-        <start:Group Name="comms" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:Tile Size="4x2" Column="0" Row="0" TileID="a39d270e-d013-40a9-879d-eb563c019a4f" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
-          <start:Tile Size="4x4" Column="0" Row="0" TileID="293e8dd8-c33d-4797-997e-f646902d1e56" AppUserModelID="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="2f5a81f5-7f85-42c9-88f7-dd41aa9609f7" AppUserModelID="Microsoft.People_8wekyb3d8bbwe!x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x"/>
-        </start:Group>
-        <start:Group Name="Office" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.lync.exe.15"/>
-          <start:Tile Size="2x2" Column="4" Row="4" TileID="337be122-44b3-4215-8d6f-75f29af5a722" AppUserModelID="Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.OUTLOOK.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="Microsoft.Office.ONENOTE.EXE.15"/>
-          <start:DesktopApplicationTile Size="2x2" Column="4" Row="4" DesktopApplicationID="Microsoft.Office.POWERPNT.EXE.15"/>
-        </start:Group>
-        <start:Group Name="Edge pinned shortcuts" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-9513911450" DisplayName="Bing" Size="2x2" Column="0" Row="0" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-2360074010" DisplayName="msn" Size="2x2" Column="2" Row="2" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0xec458ccc -pinnedTimeHigh 0x01d091a0 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000013 http://www.msn.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-2360074010/hires.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-          <start:SecondaryTile AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" TileID="-21368412090" DisplayName="The Verge" Size="2x2" Column="4" Row="4" Arguments="-pinnedSite -contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x00bad87b -pinnedTimeHigh 0x01d091a1 -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000018 http://www.theverge.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/squaretile.png" Wide310x150LogoUri="ms-appdata:///local/PinnedTiles/-21368412090/widetile.png" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" BackgroundColor="#7fffffff"/>
-        </start:Group>
-        <start:Group Name="dev tools" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
-          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe"/>
-          <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationID="{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe"/>
-        </start:Group>
-      </defaultlayout:StartLayout>
-    </StartLayoutCollection>
-  </DefaultLayoutOverride>
-</LayoutModificationTemplate>
-```
-
-### Understanding the schema
-
-In the previous example, the **DefaultLayoutOverride** element is used to specify a layout that overrides the default Start layout. It contains a **StartLayoutCollection**. **StartLayoutCollection** contains a **StartLayout**, which is made up of a collection of **Groups** which are, in turn, made up of either **Tiles** or **DesktopApplicationTiles**.
-
-### Manually creating a layout
-
-For **Tile** elements, the **AppUserModelID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-For **DesktopApplicationTile** elements, the **DesktopApplicationID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information.
-
-### Secondary tiles
-
-Creating a layout requires some special notes about secondary tiles. In general, the simplest way to correctly specify a **SecondaryTile** is to generate it using the **Export-StartLayout** PowerShell cmdlet as specified above.
-
-> [!NOTE]
-> Apps that don't encode enough information in their secondary tiles may not be able to be used effectively in the **StartLayout** policy.
-
-
-### Generic webpage shortcuts
-
-The simplest mechanism to create a link to a webpage is to use a URL file. This can be manually added to the layout file by specifying the URL in the **DesktopApplicationID** attribute.
-
-``` syntax
-<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="www.bing.com" />
-```
-
-### <a href="" id="microsoft-edge-secondary-tiles-"></a>Microsoft Edge secondary tiles
-
-These can be generated by using the **Export-StartLayout** PowerShell cmdlet as specified above. The following example shows a generated secondary tile:
-
-``` syntax
-<start:SecondaryTile 
-    AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" 
-    TileID="-9513911450" 
-    DisplayName="Bing" 
-    Size="2x2" 
-    Column="0" 
-    Row="0" 
-    Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" 
-    Wide310x150LogoUri="ms-appx:///" 
-    ShowNameOnSquare150x150Logo="true" 
-    ShowNameOnWide310x150Logo="true" 
-    BackgroundColor="#7fffffff" 
-  />
-```
-
-### <a href="" id="microsoft-edge-assets-example"></a>Microsoft Edge assets example
-
-An example XML string value for the **[Start/ImportEdgeAssets](#start-importedgeassets)** policy.
-
-``` syntax
-<SecondaryTileAssets>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-  <SecondaryTileAsset>
-
-    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
-
-    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
-
-  </SecondaryTileAsset>
-
-</SecondaryTileAssets>
-```
-
 ## Related topics
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
new file mode 100644
index 0000000000..5b1b04014f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -0,0 +1,146 @@
+---
+title: Policy CSP - AboveLock
+description: Policy CSP - AboveLock
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - AboveLock
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## AboveLock policies  
+
+<!--StartPolicy-->
+<a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Specifies whether to allow Action Center notifications above the device lock screen.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow toast notifications above the device lock screen.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
new file mode 100644
index 0000000000..321173c109
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -0,0 +1,187 @@
+---
+title: Policy CSP - Accounts
+description: Policy CSP - Accounts
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Accounts
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Accounts policies  
+
+<!--StartPolicy-->
+<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether user is allowed to add non-MSA email accounts.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+> [!NOTE]
+> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disabled.
+-   1 (default) – Manual start.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies a list of the domains that are allowed to sync email on the device.
+
+<p style="margin-left: 20px">The data type is a string.
+
+<p style="margin-left: 20px">The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Accounts policies supported by Windows Holographic for Business  
+
+-   [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)  
+<!--EndHoloLens-->
+
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
new file mode 100644
index 0000000000..ecf8c1bd88
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -0,0 +1,82 @@
+---
+title: Policy CSP - ActiveXControls
+description: Policy CSP - ActiveXControls
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - ActiveXControls
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## ActiveXControls policies  
+
+<!--StartPolicy-->
+<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
+
+If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
+
+If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
+
+Note: Wild card characters cannot be used when specifying the host URLs.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Approved Installation Sites for ActiveX Controls*
+-   GP name: *ApprovedActiveXInstallSites*
+-   GP ADMX file name: *ActiveXInstallService.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
new file mode 100644
index 0000000000..1611634651
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -0,0 +1,122 @@
+---
+title: Policy CSP - ApplicationDefaults
+description: Policy CSP - ApplicationDefaults
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - ApplicationDefaults
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## ApplicationDefaults policies  
+
+<!--StartPolicy-->
+<a href="" id="applicationdefaults-defaultassociationsconfiguration"></a>**ApplicationDefaults/DefaultAssociationsConfiguration**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be  base64 encoded before being added to SyncML.
+ 
+<p style="margin-left: 20px">If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+
+<p style="margin-left: 20px">To create create the SyncML, follow these steps:
+<ol>
+<li>Install a few apps and change your defaults.</li>
+<li>From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"</li>
+<li>Take the XML output and put it through your favorite base64 encoder app.</li>
+<li>Paste the base64 encoded XML into the SyncML</li>
+</ol>
+
+<p style="margin-left: 20px">Here is an example output from the dism default association export command:
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<DefaultAssociations>
+  <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+  <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+  <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
+  <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
+  <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
+</DefaultAssociations
+```
+
+<p style="margin-left: 20px">Here is the base64 encoded result:
+
+``` syntax
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+```
+
+<p style="margin-left: 20px">Here is the SyncMl example:
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.1">
+<SyncBody>
+    <Replace>
+      <CmdID>101</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
+        </Target>
+        <Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+</Data>
+      </Item>
+    </Replace>
+  <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>ApplicationDefaults policies supported by Microsoft Surface Hub  
+
+-   [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
new file mode 100644
index 0000000000..04487cf2a4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -0,0 +1,490 @@
+---
+title: Policy CSP - ApplicationManagement
+description: Policy CSP - ApplicationManagement
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - ApplicationManagement
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## ApplicationManagement policies  
+
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowalltrustedapps"></a>**ApplicationManagement/AllowAllTrustedApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether non Windows Store apps are allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Explicit deny.
+-   1 – Explicit allow unlock.
+-   65535 (default) – Not configured.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowappstoreautoupdate"></a>**ApplicationManagement/AllowAppStoreAutoUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether automatic update of apps from Windows Store are allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether developer unlock is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Explicit deny.
+-   1 – Explicit allow unlock.
+-   65535 (default) – Not configured.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowgamedvr"></a>**ApplicationManagement/AllowGameDVR**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Specifies whether DVR and broadcasting is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowshareduserappdata"></a>**ApplicationManagement/AllowSharedUserAppData**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether multiple users of the same app can share data.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether app store is allowed at the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
+
+ 
+<p style="margin-left: 20px">An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
+
+> [!NOTE]
+> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
+>
+> Here's additional guidance for the upgrade process:
+>
+>  -   Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
+>  -   Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows  Phone 8.1 publisher if you are using it.
+>  -   In the SyncML, you must use lowercase product ID.
+>  -   Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
+>  -   You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
+
+
+<p style="margin-left: 20px">An application that is running may not be immediately terminated.
+
+<p style="margin-left: 20px">Value type is chr.
+
+<p style="margin-left: 20px">Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Enable launch of apps.
+-   1 – Disable launch of apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> -   **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Allow both public and Private store.
+-   1 – Only Private store is enabled.
+
+<p style="margin-left: 20px">This is a per user policy.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-restrictappdatatosystemvolume"></a>**ApplicationManagement/RestrictAppDataToSystemVolume**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether application data is restricted to the system drive.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not restricted.
+-   1 – Restricted.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="applicationmanagement-restrictapptosystemvolume"></a>**ApplicationManagement/RestrictAppToSystemVolume**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether the installation of applications is restricted to the system drive.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not restricted.
+-   1 – Restricted.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>ApplicationManagement policies supported by Windows Holographic for Business  
+
+-   [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)  
+-   [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)  
+-   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>ApplicationManagement policies supported by IoT Core  
+
+-   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
+<!--EndIoTCore-->
+
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
new file mode 100644
index 0000000000..b0b817880f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -0,0 +1,1391 @@
+---
+title: Policy CSP - AppVirtualization
+description: Policy CSP - AppVirtualization
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - AppVirtualization
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## AppVirtualization policies  
+
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowappvclient"></a>**AppVirtualization/AllowAppVClient**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable App-V Client*
+-   GP name: *EnableAppV*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowdynamicvirtualization"></a>**AppVirtualization/AllowDynamicVirtualization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable Dynamic Virtualization*
+-   GP name: *Virtualization_JITVEnable*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowpackagecleanup"></a>**AppVirtualization/AllowPackageCleanup**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable automatic cleanup of unused appv packages*
+-   GP name: *PackageManagement_AutoCleanupEnable*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowpackagescripts"></a>**AppVirtualization/AllowPackageScripts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enables scripts defined in the package manifest of configuration files that should run.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable Package Scripts*
+-   GP name: *Scripting_Enable_Package_Scripts*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowpublishingrefreshux"></a>**AppVirtualization/AllowPublishingRefreshUX**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enables a UX to display to the user when a publishing refresh is performed on the client.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable Publishing Refresh UX*
+-   GP name: *Enable_Publishing_Refresh_UX*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowreportingserver"></a>**AppVirtualization/AllowReportingServer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Reporting Server URL: Displays the URL of reporting server.
+
+Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
+
+Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
+
+Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
+
+Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
+
+Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The  default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Reporting Server*
+-   GP name: *Reporting_Server_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowroamingfileexclusions"></a>**AppVirtualization/AllowRoamingFileExclusions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Roaming File Exclusions*
+-   GP name: *Integration_Roaming_File_Exclusions*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowroamingregistryexclusions"></a>**AppVirtualization/AllowRoamingRegistryExclusions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Roaming Registry Exclusions*
+-   GP name: *Integration_Roaming_Registry_Exclusions*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-allowstreamingautoload"></a>**AppVirtualization/AllowStreamingAutoload**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies how new packages should be loaded automatically by App-V on a specific computer.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify what to load in background (aka AutoLoad)*
+-   GP name: *Steaming_Autoload*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-clientcoexistenceallowmigrationmode"></a>**AppVirtualization/ClientCoexistenceAllowMigrationmode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable Migration Mode*
+-   GP name: *Client_Coexistence_Enable_Migration_mode*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-integrationallowrootglobal"></a>**AppVirtualization/IntegrationAllowRootGlobal**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Integration Root User*
+-   GP name: *Integration_Root_User*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-integrationallowrootuser"></a>**AppVirtualization/IntegrationAllowRootUser**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Integration Root Global*
+-   GP name: *Integration_Root_Global*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-publishingallowserver1"></a>**AppVirtualization/PublishingAllowServer1**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Publishing Server 1 Settings*
+-   GP name: *Publishing_Server1_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-publishingallowserver2"></a>**AppVirtualization/PublishingAllowServer2**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Publishing Server 2 Settings*
+-   GP name: *Publishing_Server2_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-publishingallowserver3"></a>**AppVirtualization/PublishingAllowServer3**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Publishing Server 3 Settings*
+-   GP name: *Publishing_Server3_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-publishingallowserver4"></a>**AppVirtualization/PublishingAllowServer4**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Publishing Server 4 Settings*
+-   GP name: *Publishing_Server4_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-publishingallowserver5"></a>**AppVirtualization/PublishingAllowServer5**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Publishing Server 5 Settings*
+-   GP name: *Publishing_Server5_Policy*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowcertificatefilterforclient-ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the path to a valid certificate in the certificate store.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Certificate Filter For Client SSL*
+-   GP name: *Streaming_Certificate_Filter_For_Client_SSL*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowhighcostlaunch"></a>**AppVirtualization/StreamingAllowHighCostLaunch**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
+-   GP name: *Streaming_Allow_High_Cost_Launch*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowlocationprovider"></a>**AppVirtualization/StreamingAllowLocationProvider**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Location Provider*
+-   GP name: *Streaming_Location_Provider*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowpackageinstallationroot"></a>**AppVirtualization/StreamingAllowPackageInstallationRoot**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies directory where all new applications and updates will be installed.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Package Installation Root*
+-   GP name: *Streaming_Package_Installation_Root*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowpackagesourceroot"></a>**AppVirtualization/StreamingAllowPackageSourceRoot**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Overrides source location for downloading package content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Package Source Root*
+-   GP name: *Streaming_Package_Source_Root*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowreestablishmentinterval"></a>**AppVirtualization/StreamingAllowReestablishmentInterval**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the number of seconds between attempts to reestablish a dropped session.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Reestablishment Interval*
+-   GP name: *Streaming_Reestablishment_Interval*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingallowreestablishmentretries"></a>**AppVirtualization/StreamingAllowReestablishmentRetries**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies the number of times to retry a dropped session.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Reestablishment Retries*
+-   GP name: *Streaming_Reestablishment_Retries*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingsharedcontentstoremode"></a>**AppVirtualization/StreamingSharedContentStoreMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies that streamed package contents will be not be saved to the local hard disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Shared Content Store (SCS) mode*
+-   GP name: *Streaming_Shared_Content_Store_Mode*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingsupportbranchcache"></a>**AppVirtualization/StreamingSupportBranchCache**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable Support for BranchCache*
+-   GP name: *Streaming_Support_Branch_Cache*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-streamingverifycertificaterevocationlist"></a>**AppVirtualization/StreamingVerifyCertificateRevocationList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Verifies Server certificate revocation status before streaming using HTTPS.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Verify certificate revocation list*
+-   GP name: *Streaming_Verify_Certificate_Revocation_List*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="appvirtualization-virtualcomponentsallowlist"></a>**AppVirtualization/VirtualComponentsAllowList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Virtual Component Process Allow List*
+-   GP name: *Virtualization_JITVAllowList*
+-   GP ADMX file name: *appv.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
new file mode 100644
index 0000000000..5d23ee3459
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -0,0 +1,184 @@
+---
+title: Policy CSP - AttachmentManager
+description: Policy CSP - AttachmentManager
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - AttachmentManager
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## AttachmentManager policies  
+
+<!--StartPolicy-->
+<a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
+
+If you enable this policy setting, Windows does not mark file attachments with their zone information.
+
+If you disable this policy setting, Windows marks file attachments with their zone information.
+
+If you do not configure this policy setting, Windows marks file attachments with their zone information.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not preserve zone information in file attachments*
+-   GP name: *AM_MarkZoneOnSavedAtttachments*
+-   GP ADMX file name: *AttachmentManager.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="attachmentmanager-hidezoneinfomechanism"></a>**AttachmentManager/HideZoneInfoMechanism**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
+
+If you enable this policy setting, Windows hides the check box and Unblock button.
+
+If you disable this policy setting, Windows shows the check box and Unblock button.
+
+If you do not configure this policy setting, Windows hides the check box and Unblock button.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Hide mechanisms to remove zone information*
+-   GP name: *AM_RemoveZoneInfo*
+-   GP ADMX file name: *AttachmentManager.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="attachmentmanager-notifyantivirusprograms"></a>**AttachmentManager/NotifyAntivirusPrograms**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+
+If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
+
+If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
+
+If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Notify antivirus programs when opening attachments*
+-   GP name: *AM_CallIOfficeAntiVirus*
+-   GP ADMX file name: *AttachmentManager.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
new file mode 100644
index 0000000000..d6e687ff2b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -0,0 +1,166 @@
+---
+title: Policy CSP - Authentication
+description: Policy CSP - Authentication
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Authentication
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Authentication policies  
+
+<!--StartPolicy-->
+<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> -   **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="authentication-allowfastreconnect"></a>**Authentication/AllowFastReconnect**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="authentication-allowsecondaryauthenticationdevice"></a>**Authentication/AllowSecondaryAuthenticationDevice**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Authentication policies supported by Windows Holographic for Business  
+
+-   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Authentication policies supported by IoT Core  
+
+-   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
+<!--EndIoTCore-->
+
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
new file mode 100644
index 0000000000..8d520d5bf1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -0,0 +1,197 @@
+---
+title: Policy CSP - Autoplay
+description: Policy CSP - Autoplay
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Autoplay
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Autoplay policies  
+
+<!--StartPolicy-->
+<a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting disallows AutoPlay for MTP devices like cameras or phones.
+
+If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
+
+If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disallow Autoplay for non-volume devices*
+-   GP name: *NoAutoplayfornonVolume*
+-   GP ADMX file name: *AutoPlay.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="autoplay-setdefaultautorunbehavior"></a>**Autoplay/SetDefaultAutoRunBehavior**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting sets the default behavior for Autorun commands.
+
+Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
+
+Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
+
+This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
+
+If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
+
+a) Completely disable autorun commands, or
+b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
+
+If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set the default behavior for AutoRun*
+-   GP name: *NoAutorun*
+-   GP ADMX file name: *AutoPlay.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="autoplay-turnoffautoplay"></a>**Autoplay/TurnOffAutoPlay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to turn off the Autoplay feature.
+
+Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
+
+Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
+
+Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
+
+If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
+
+This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
+
+If you disable or do not configure this policy setting, AutoPlay is enabled.
+
+Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off Autoplay*
+-   GP name: *Autorun*
+-   GP ADMX file name: *AutoPlay.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
new file mode 100644
index 0000000000..d400b459dc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -0,0 +1,72 @@
+---
+title: Policy CSP - Bitlocker
+description: Policy CSP - Bitlocker
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Bitlocker
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Bitlocker policies  
+
+<!--StartPolicy-->
+<a href="" id="bitlocker-encryptionmethod"></a>**Bitlocker/EncryptionMethod**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.
+
+> [!NOTE]
+> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   3 - AES-CBC 128-bit
+-   4 - AES-CBC 256-bit
+-   6 - XTS-AES 128-bit (Desktop only)
+-   7 - XTS-AES 256-bit (Desktop only)
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
new file mode 100644
index 0000000000..36f22b68f0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -0,0 +1,242 @@
+---
+title: Policy CSP - Bluetooth
+description: Policy CSP - Bluetooth
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Bluetooth
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Bluetooth policies  
+
+<!--StartPolicy-->
+<a href="" id="bluetooth-allowadvertising"></a>**Bluetooth/AllowAdvertising**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether the device can send out Bluetooth advertisements.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
+-   1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
+
+<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="bluetooth-allowdiscoverablemode"></a>**Bluetooth/AllowDiscoverableMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether other Bluetooth-enabled devices can discover the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
+-   1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
+
+<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 1 (Allow) is used.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="bluetooth-allowprepairing"></a>**Bluetooth/AllowPrepairing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default)– Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Sets the local Bluetooth device name.
+
+<p style="margin-left: 20px">If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
+
+<p style="margin-left: 20px">If this policy is not set or it is deleted, the default local radio name is used.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="bluetooth-servicesallowedlist"></a>**Bluetooth/ServicesAllowedList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
+
+<p style="margin-left: 20px">The default value is an empty string.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic for Business  
+
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Bluetooth policies supported by IoT Core  
+
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+-   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Bluetooth policies supported by Microsoft Surface Hub  
+
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+-   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
new file mode 100644
index 0000000000..1f89d48fa9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -0,0 +1,1437 @@
+---
+title: Policy CSP - Browser
+description: Policy CSP - Browser
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Browser
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Browser policies  
+
+<!--StartPolicy-->
+<a href="" id="browser-allowaddressbardropdown"></a>**Browser/AllowAddressBarDropdown**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
+
+> [!NOTE]
+> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type." 
+-   1 (default) – Allowed. Address bar drop-down is enabled.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowautofill"></a>**Browser/AllowAutofill**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether autofill on websites is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">To verify AllowAutofill is set to 0 (not allowed):
+
+1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the setting **Save form entries** is greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowbrowser"></a>**Browser/AllowBrowser**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
+
+
+<p style="margin-left: 20px">Specifies whether the browser is allowed on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowcookies"></a>**Browser/AllowCookies**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether cookies are allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">To verify AllowCookies is set to 0 (not allowed):
+
+1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the setting **Cookies** is greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowdevelopertools"></a>**Browser/AllowDeveloperTools**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowdonottrack"></a>**Browser/AllowDoNotTrack**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether Do Not Track headers are allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<p style="margin-left: 20px">To verify AllowDoNotTrack is set to 0 (not allowed):
+
+1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the setting **Send Do Not Track requests** is greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowextensions"></a>**Browser/AllowExtensions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowflash"></a>**Browser/AllowFlash**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowflashclicktorun"></a>**Browser/AllowFlashClickToRun**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
+-   1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowinprivate"></a>**Browser/AllowInPrivate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether InPrivate browsing is allowed on corporate networks.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowmicrosoftcompatibilitylist"></a>**Browser/AllowMicrosoftCompatibilityList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. 
+By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". 
+
+<p style="margin-left: 20px">If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not enabled.
+-   1 (default) – Enabled.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowpasswordmanager"></a>**Browser/AllowPasswordManager**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether saving and managing passwords locally on the device is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">To verify AllowPasswordManager is set to 0 (not allowed):
+
+1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowpopups"></a>**Browser/AllowPopups**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether pop-up blocker is allowed or enabled.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
+-   1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<p style="margin-left: 20px">To verify AllowPopups is set to 0 (not allowed):
+
+1.  Open Microsoft Edge.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the setting **Block pop-ups** is greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowsearchenginecustomization"></a>**Browser/AllowSearchEngineCustomization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. 
+  
+<p style="margin-left: 20px">If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). 
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowsearchsuggestionsinaddressbar"></a>**Browser/AllowSearchSuggestionsinAddressBar**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether search suggestions are allowed in the address bar.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-allowsmartscreen"></a>**Browser/AllowSmartScreen**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether Windows Defender SmartScreen is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<p style="margin-left: 20px">To verify AllowSmartScreen is set to 0 (not allowed):
+
+1.  Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2.  In the upper-right corner of the browser, click **…**.
+3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-clearbrowsingdataonexit"></a>**Browser/ClearBrowsingDataOnExit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
+-   1 – Browsing data is cleared on exit.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<p style="margin-left: 20px">To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): 
+
+1.  Open Microsoft Edge and browse to websites.
+2.  Close the Microsoft Edge window.
+3.  Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-configureadditionalsearchengines"></a>**Browser/ConfigureAdditionalSearchEngines**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. 
+ 
+<p style="margin-left: 20px">If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
+Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine. 
+
+<p style="margin-left: 20px">If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
+ 
+> [!IMPORTANT]
+> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. 
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Additional search engines are not allowed.
+-   1 – Additional search engines are allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-disablelockdownofstartpages"></a>**Browser/DisableLockdownOfStartPages**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. 
+  
+> [!NOTE]
+> This policy has no effect when the Browser/HomePages policy is not configured. 
+ 
+> [!IMPORTANT]
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages. 
+-   1  – Disable lockdown of the Start pages and allow users to modify them.  
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-enterprisemodesitelist"></a>**Browser/EnterpriseModeSiteList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+ 
+<p style="margin-left: 20px">Allows the user to specify an URL of an enterprise site list.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   Not configured. The device checks for updates from Microsoft Update.
+-   Set to a URL location of the enterprise site list.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-enterprisesitelistserviceurl"></a>**Browser/EnterpriseSiteListServiceUrl**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!IMPORTANT]
+> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-firstrunurl"></a>**Browser/FirstRunURL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
+
+<p style="margin-left: 20px">The data type is a string.
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-homepages"></a>**Browser/HomePages**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+<p style="margin-left: 20px">Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **&lt;** and **&gt;**. For example, "&lt;support.contoso.com&gt;&lt;support.microsoft.com&gt;"
+
+<p style="margin-left: 20px">Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
+
+<p style="margin-left: 20px">Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "&lt;about:blank&gt;" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL. 
+
+> [!NOTE]
+> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventaccesstoaboutflagsinmicrosoftedge"></a>**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Users can access the about:flags page in Microsoft Edge.
+-   1 – Users can't access the about:flags page in Microsoft Edge.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventfirstrunpage"></a>**Browser/PreventFirstRunPage**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Employees see the First Run webpage. 
+-   1 – Employees don't see the First Run webpage.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventlivetiledatacollection"></a>**Browser/PreventLiveTileDataCollection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
+-   1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventsmartscreenpromptoverride"></a>**Browser/PreventSmartScreenPromptOverride**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Off.
+-   1 – On.
+
+<p style="margin-left: 20px">Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventsmartscreenpromptoverrideforfiles"></a>**Browser/PreventSmartScreenPromptOverrideForFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Off.
+-   1 – On.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-preventusinglocalhostipaddressforwebrtc"></a>**Browser/PreventUsingLocalHostIPAddressForWebRTC**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an <p style="margin-left: 20px">user’s localhost IP address while making phone calls using WebRTC.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – The localhost IP address is shown.
+-   1 – The localhost IP address is hidden.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies whether to send intranet traffic over to Internet Explorer.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Intranet traffic is sent to Internet Explorer.
+-   1 – Intranet traffic is sent to Microsoft Edge.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-setdefaultsearchengine"></a>**Browser/SetDefaultSearchEngine**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
+
+<p style="margin-left: 20px">You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING. 
+ 
+<p style="margin-left: 20px">If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.   
+ 
+> [!IMPORTANT]
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) - The default search engine is set to the one specified in App settings.
+-   1 - Allows you to configure the default search engine for your employees.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-showmessagewhenopeningsitesininternetexplorer"></a>**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Interstitial pages are not shown.
+-   1 – Interstitial pages are shown.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+
+> [!NOTE]  
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.  
+>
+> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Synchronization is off.
+-   1 – Synchronization is on.
+
+<p style="margin-left: 20px">To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
+
+<ol>
+<li>Open Internet Explorer and add some favorites.
+<li>Open Microsoft Edge, then select Hub > Favorites.
+<li>Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
+</ol>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Browser policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Browser/AllowBrowser](#browser-allowbrowser)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Browser policies supported by Windows Holographic for Business  
+
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
+-   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Browser policies supported by IoT Core  
+
+-   [Browser/AllowAutofill](#browser-allowautofill)  
+-   [Browser/AllowBrowser](#browser-allowbrowser)  
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
+-   [Browser/AllowInPrivate](#browser-allowinprivate)  
+-   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)  
+-   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
+-   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Browser policies supported by Microsoft Surface Hub  
+
+-   [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)  
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
+-   [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)  
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)  
+-   [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)  
+-   [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)  
+-   [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)  
+-   [Browser/HomePages](#browser-homepages)  
+-   [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)  
+-   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)  
+-   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)  
+-   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
new file mode 100644
index 0000000000..827c761526
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -0,0 +1,87 @@
+---
+title: Policy CSP - Camera
+description: Policy CSP - Camera
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Camera
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Camera policies  
+
+<!--StartPolicy-->
+<a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Disables or enables the camera.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Camera policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Camera/AllowCamera](#camera-allowcamera)  
+<!--EndEAS-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Camera policies supported by IoT Core  
+
+-   [Camera/AllowCamera](#camera-allowcamera)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Camera policies supported by Microsoft Surface Hub  
+
+-   [Camera/AllowCamera](#camera-allowcamera)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
new file mode 100644
index 0000000000..099237a30b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -0,0 +1,92 @@
+---
+title: Policy CSP - Cellular
+description: Policy CSP - Cellular
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Cellular
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Cellular policies  
+
+<!--StartPolicy-->
+<a href="" id="cellular-showappcellularaccessui"></a>**Cellular/ShowAppCellularAccessUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set Per-App Cellular Access UI Visibility*
+-   GP name: *ShowAppCellularAccessUI*
+-   GP ADMX file name: *wwansvc.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Cellular policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndEAS-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Cellular policies supported by IoT Core  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Cellular policies supported by Microsoft Surface Hub  
+
+-   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
new file mode 100644
index 0000000000..4e608da6c7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -0,0 +1,617 @@
+---
+title: Policy CSP - Connectivity
+description: Policy CSP - Connectivity
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Connectivity
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Connectivity policies  
+
+<!--StartPolicy-->
+<a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the user to enable Bluetooth or restrict access.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
+-   1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+
+> [!NOTE]
+>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
+
+-   2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+
+<p style="margin-left: 20px">If this is not set or it is deleted, the default value of 2 (Allow) is used.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowcellulardata"></a>**Connectivity/AllowCellularData**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
+-   1 (default) – Allow the cellular data channel. The user can turn it off.
+-   2 - Allow the cellular data channel. The user cannot turn it off.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
+-   1 (default) – Allow cellular data roaming.
+-   2 - Allow cellular data roaming on. The user cannot turn it off.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
+
+<p style="margin-left: 20px">To validate on mobile devices, do the following:
+
+1.  Go to Cellular & SIM.
+2.  Click on the SIM (next to the signal strength icon) and select **Properties**.
+3.  On the Properties page, select **Data roaming options**.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowconnecteddevices"></a>**Connectivity/AllowConnectedDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   1 (default) - Allow (CDP service available).
+-   0 - Disable (CDP service not available).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows near field communication (NFC) on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Do not allow NFC capabilities.
+-   1 (default) – Allow NFC capabilities.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
+
+<p style="margin-left: 20px">Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies what type of underlying connections VPN is allowed to use.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – VPN is not allowed over cellular.
+-   1 (default) – VPN can use any connection, including cellular.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Prevents the device from connecting to VPN when the device roams over cellular networks.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-diableprintingoverhttp"></a>**Connectivity/DiablePrintingOverHTTP**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off printing over HTTP*
+-   GP name: *DisableHTTPPrinting_2*
+-   GP ADMX file name: *ICM.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-disabledownloadingofprintdriversoverhttp"></a>**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off downloading of print drivers over HTTP*
+-   GP name: *DisableWebPnPDownload_2*
+-   GP ADMX file name: *ICM.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards"></a>**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
+-   GP name: *ShellPreventWPWDownload_2*
+-   GP ADMX file name: *ICM.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting configures secure access to UNC paths.
+
+If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Hardened UNC Paths*
+-   GP name: *Pol_HardenedPaths*
+-   GP ADMX file name: *networkprovider.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge"></a>**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
+-   GP name: *NC_AllowNetBridge_NLA*
+-   GP ADMX file name: *NetworkConnections.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Connectivity policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
+-   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Connectivity policies supported by Windows Holographic for Business  
+
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Connectivity policies supported by IoT Core  
+
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
+-   [Connectivity/AllowNFC](#connectivity-allownfc)  
+-   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
+-   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
+-   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
+-   [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)  
+-   [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)  
+-   [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)  
+-   [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)  
+-   [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Connectivity policies supported by Microsoft Surface Hub  
+
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
new file mode 100644
index 0000000000..4ea0afb98d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -0,0 +1,178 @@
+---
+title: Policy CSP - CredentialProviders
+description: Policy CSP - CredentialProviders
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - CredentialProviders
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## CredentialProviders policies  
+
+<!--StartPolicy-->
+<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
+
+If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
+
+If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
+
+Note: The user's domain password will be cached in the system vault when using this feature.
+
+To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on convenience PIN sign-in*
+-   GP name: *AllowDomainPINLogon*
+-   GP ADMX file name: *credentialproviders.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to control whether a domain user can sign in using a picture password.
+
+If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+
+If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
+
+Note that the user's domain password will be cached in the system vault when using this feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off picture password sign-in*
+-   GP name: *BlockDomainPicturePassword*
+-   GP ADMX file name: *credentialproviders.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
+
+The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
+
+- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
+- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment 
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>CredentialProviders policies supported by IoT Core  
+
+-   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
+-   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
+<!--EndIoTCore-->
+
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
new file mode 100644
index 0000000000..c99d68a5fe
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -0,0 +1,133 @@
+---
+title: Policy CSP - CredentialsUI
+description: Policy CSP - CredentialsUI
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - CredentialsUI
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## CredentialsUI policies  
+
+<!--StartPolicy-->
+<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
+
+If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
+
+If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
+
+By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
+
+The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not display the password reveal button*
+-   GP name: *DisablePasswordReveal*
+-   GP ADMX file name: *credui.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
+
+If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
+
+If you disable this policy setting, users will always be required to type a user name and password to elevate.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enumerate administrator accounts on elevation*
+-   GP name: *EnumerateAdministrators*
+-   GP ADMX file name: *credui.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
new file mode 100644
index 0000000000..28837af17c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -0,0 +1,105 @@
+---
+title: Policy CSP - Cryptography
+description: Policy CSP - Cryptography
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Cryptography
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Cryptography policies  
+
+<!--StartPolicy-->
+<a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1– Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Cryptography policies supported by Microsoft Surface Hub  
+
+-   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)  
+-   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
new file mode 100644
index 0000000000..e520e4612f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -0,0 +1,113 @@
+---
+title: Policy CSP - DataProtection
+description: Policy CSP - DataProtection
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DataProtection
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DataProtection policies  
+
+<!--StartPolicy-->
+<a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!IMPORTANT]
+> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
+
+ 
+<p style="margin-left: 20px">Setting used by Windows 8.1 Selective Wipe.
+
+> [!NOTE]
+> This policy is not recommended for use in Windows 10.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>DataProtection policies supported by IoT Core  
+
+-   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
+<!--EndIoTCore-->
+
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
new file mode 100644
index 0000000000..decc54ee81
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -0,0 +1,141 @@
+---
+title: Policy CSP - DataUsage
+description: Policy CSP - DataUsage
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DataUsage
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DataUsage policies  
+
+<!--StartPolicy-->
+<a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting configures the cost of 3G connections on the local machine.
+
+If this policy setting is enabled, a drop-down list box presenting possible cost values will be active.  Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
+- Variable: This connection is costed on a per byte basis.
+
+If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set 3G Cost*
+-   GP name: *SetCost3G*
+-   GP ADMX file name: *wwansvc.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="datausage-setcost4g"></a>**DataUsage/SetCost4G**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting configures the cost of 4G connections on the local machine.
+
+If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
+- Variable: This connection is costed on a per byte basis.
+
+If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set 4G Cost*
+-   GP name: *SetCost4G*
+-   GP ADMX file name: *wwansvc.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
new file mode 100644
index 0000000000..337cacc79f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -0,0 +1,1491 @@
+---
+title: Policy CSP - Defender
+description: Policy CSP - Defender
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Defender
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Defender policies  
+
+<!--StartPolicy-->
+<a href="" id="defender-allowarchivescanning"></a>**Defender/AllowArchiveScanning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows scanning of archives.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowbehaviormonitoring"></a>**Defender/AllowBehaviorMonitoring**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Allows or disallows Windows Defender Behavior Monitoring functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowcloudprotection"></a>**Defender/AllowCloudProtection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowemailscanning"></a>**Defender/AllowEmailScanning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows scanning of email.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowfullscanonmappednetworkdrives"></a>**Defender/AllowFullScanOnMappedNetworkDrives**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows a full scan of mapped network drives.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowfullscanremovabledrivescanning"></a>**Defender/AllowFullScanRemovableDriveScanning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows a full scan of removable drives.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowioavprotection"></a>**Defender/AllowIOAVProtection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Allows or disallows Windows Defender IOAVP Protection functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowintrusionpreventionsystem"></a>**Defender/AllowIntrusionPreventionSystem**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows Windows Defender Intrusion Prevention functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows Windows Defender On Access Protection functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowrealtimemonitoring"></a>**Defender/AllowRealtimeMonitoring**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows Windows Defender Realtime Monitoring functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowscanningnetworkfiles"></a>**Defender/AllowScanningNetworkFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Allows or disallows a scanning of network files.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowscriptscanning"></a>**Defender/AllowScriptScanning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows Windows Defender Script Scanning functionality.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-allowuseruiaccess"></a>**Defender/AllowUserUIAccess**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-attacksurfacereductiononlyexclusions"></a>**Defender/AttackSurfaceReductionOnlyExclusions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
+
+Value type is string.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-attacksurfacereductionrules"></a>**Defender/AttackSurfaceReductionRules**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+
+Value type is string.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-avgcpuloadfactor"></a>**Defender/AvgCPULoadFactor**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Represents the average CPU load factor for the Windows Defender scan (in percent).
+
+<p style="margin-left: 20px">Valid values: 0–100
+
+<p style="margin-left: 20px">The default value is 50.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-cloudblocklevel"></a>**Defender/CloudBlockLevel**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
+
+<p style="margin-left: 20px">If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. 
+
+<p style="margin-left: 20px">For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+      
+> [!Note]  
+> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.  
+
+<p style="margin-left: 20px">Possible options are:  
+
+- (0x0) Default windows defender blocking level
+- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)       
+- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact  client performance)
+- (0x6) Zero tolerance blocking level – block all unknown executables
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-cloudextendedtimeout"></a>**Defender/CloudExtendedTimeout**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
+
+<p style="margin-left: 20px">The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. 
+
+<p style="margin-left: 20px">For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. 
+
+> [!Note]  
+> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-daystoretaincleanedmalware"></a>**Defender/DaysToRetainCleanedMalware**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Time period (in days) that quarantine items will be stored on the system.
+
+<p style="margin-left: 20px">Valid values: 0–90
+
+<p style="margin-left: 20px">The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-enableguardmyfolders"></a>**Defender/EnableGuardMyFolders**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.  
+
+- 0 (default) - Off
+- 1 - Audit mode
+- 2 - Enforcement mode
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-enablenetworkprotection"></a>**Defender/EnableNetworkProtection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+
+<p style="margin-left: 20px">If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
+<p style="margin-left: 20px">If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
+<p style="margin-left: 20px">If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
+<p style="margin-left: 20px">If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
+<p style="margin-left: 20px">If you do not configure this policy, network blocking will be disabled by default.
+
+<p>Valid values:
+
+- 0 (default) - Disabled
+- 1 - Enabled (block mode)
+- 2 - Enabled (audit mode)
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-excludedextensions"></a>**Defender/ExcludedExtensions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-excludedpaths"></a>**Defender/ExcludedPaths**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-excludedprocesses"></a>**Defender/ExcludedProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows an administrator to specify a list of files opened by processes to ignore during a scan.
+
+> [!IMPORTANT]
+> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
+
+ 
+<p style="margin-left: 20px">Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-guardedfoldersallowedapplications"></a>**Defender/GuardedFoldersAllowedApplications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-guardedfolderslist"></a>**Defender/GuardedFoldersList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode &#xF000; as the substring separator.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-puaprotection"></a>**Defender/PUAProtection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
+-   1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
+-   2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-realtimescandirection"></a>**Defender/RealTimeScanDirection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Controls which sets of files should be monitored.
+
+> [!NOTE]
+> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Monitor all files (bi-directional).
+-   1 – Monitor incoming files.
+-   2 – Monitor outgoing files.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-scanparameter"></a>**Defender/ScanParameter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Selects whether to perform a quick scan or full scan.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   1 (default) – Quick scan
+-   2 – Full scan
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-schedulequickscantime"></a>**Defender/ScheduleQuickScanTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Selects the time of day that the Windows Defender quick scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+ 
+<p style="margin-left: 20px">Valid values: 0–1380
+
+<p style="margin-left: 20px">For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+
+<p style="margin-left: 20px">The default value is 120
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-schedulescanday"></a>**Defender/ScheduleScanDay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Selects the day that the Windows Defender scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Every day
+-   1 – Monday
+-   2 – Tuesday
+-   3 – Wednesday
+-   4 – Thursday
+-   5 – Friday
+-   6 – Saturday
+-   7 – Sunday
+-   8 – No scheduled scan
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-schedulescantime"></a>**Defender/ScheduleScanTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Selects the time of day that the Windows Defender scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+<p style="margin-left: 20px">Valid values: 0–1380.
+
+<p style="margin-left: 20px">For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+
+<p style="margin-left: 20px">The default value is 120.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
+
+<p style="margin-left: 20px">Valid values: 0–24.
+
+<p style="margin-left: 20px">A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
+
+<p style="margin-left: 20px">The default value is 8.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-submitsamplesconsent"></a>**Defender/SubmitSamplesConsent**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Always prompt.
+-   1 (default) – Send safe samples automatically.
+-   2 – Never send.
+-   3 – Send all samples automatically.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="defender-threatseveritydefaultaction"></a>**Defender/ThreatSeverityDefaultAction**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+ 
+
+<p style="margin-left: 20px">Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
+
+<p style="margin-left: 20px">This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+
+<p style="margin-left: 20px">The following list shows the supported values for threat severity levels:
+
+-   1 – Low severity threats
+-   2 – Moderate severity threats
+-   4 – High severity threats
+-   5 – Severe threats
+
+<p style="margin-left: 20px">The following list shows the supported values for possible actions:
+
+-   1 – Clean
+-   2 – Quarantine
+-   3 – Remove
+-   6 – Allow
+-   8 – User defined
+-   10 – Block
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Defender policies supported by Microsoft Surface Hub  
+
+-   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)  
+-   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)  
+-   [Defender/AllowCloudProtection](#defender-allowcloudprotection)  
+-   [Defender/AllowEmailScanning](#defender-allowemailscanning)  
+-   [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)  
+-   [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)  
+-   [Defender/AllowIOAVProtection](#defender-allowioavprotection)  
+-   [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)  
+-   [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)  
+-   [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)  
+-   [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)  
+-   [Defender/AllowScriptScanning](#defender-allowscriptscanning)  
+-   [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)  
+-   [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)  
+-   [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)  
+-   [Defender/ExcludedExtensions](#defender-excludedextensions)  
+-   [Defender/ExcludedPaths](#defender-excludedpaths)  
+-   [Defender/ExcludedProcesses](#defender-excludedprocesses)  
+-   [Defender/PUAProtection](#defender-puaprotection)  
+-   [Defender/RealTimeScanDirection](#defender-realtimescandirection)  
+-   [Defender/ScanParameter](#defender-scanparameter)  
+-   [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)  
+-   [Defender/ScheduleScanDay](#defender-schedulescanday)  
+-   [Defender/ScheduleScanTime](#defender-schedulescantime)  
+-   [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)  
+-   [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)  
+-   [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
new file mode 100644
index 0000000000..830147907b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -0,0 +1,655 @@
+---
+title: Policy CSP - DeliveryOptimization
+description: Policy CSP - DeliveryOptimization
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DeliveryOptimization
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DeliveryOptimization policies  
+
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-doabsolutemaxcachesize"></a>**DeliveryOptimization/DOAbsoluteMaxCacheSize**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+
+<p style="margin-left: 20px">The default value is 10.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-doallowvpnpeercaching"></a>**DeliveryOptimization/DOAllowVPNPeerCaching**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+<p style="margin-left: 20px">The default value is 0 (FALSE).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 –HTTP only, no peering.
+-   1 (default) – HTTP blended with peering behind the same NAT.
+-   2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
+-   3 – HTTP blended with Internet peering.
+-   99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
+-   100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dogroupid"></a>**DeliveryOptimization/DOGroupId**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
+
+> [!NOTE]
+> You must use a GUID as the group ID.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
+
+<p style="margin-left: 20px">The default value is 259200 seconds (3 days).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domaxcachesize"></a>**DeliveryOptimization/DOMaxCacheSize**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+ 
+<p style="margin-left: 20px">Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
+
+<p style="margin-left: 20px">The default value is 20.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+ 
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+ 
+<p style="margin-left: 20px">Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
+
+<p style="margin-left: 20px">The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+
+<p style="margin-left: 20px">The default value is 500.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dominbatterypercentageallowedtoupload"></a>**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+
+<p style="margin-left: 20px">The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domindisksizeallowedtopeer"></a>**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
+
+> [!NOTE]
+> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
+
+<p style="margin-left: 20px">The default value is 32 GB.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dominfilesizetocache"></a>**DeliveryOptimization/DOMinFileSizeToCache**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
+
+<p style="margin-left: 20px">The default value is 100 MB.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dominramallowedtopeer"></a>**DeliveryOptimization/DOMinRAMAllowedToPeer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
+
+<p style="margin-left: 20px">The default value is 4 GB.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domodifycachedrive"></a>**DeliveryOptimization/DOModifyCacheDrive**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+
+<p style="margin-left: 20px">By default, %SystemDrive% is used to store the cache.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-domonthlyuploaddatacap"></a>**DeliveryOptimization/DOMonthlyUploadDataCap**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+
+<p style="margin-left: 20px">The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
+
+<p style="margin-left: 20px">The default value is 20.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+ 
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+
+<p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>DeliveryOptimization policies supported by Microsoft Surface Hub  
+
+-   [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)  
+-   [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)  
+-   [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)  
+-   [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)  
+-   [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)  
+-   [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)  
+-   [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)  
+-   [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)  
+-   [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)  
+-   [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)  
+-   [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)  
+-   [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)  
+-   [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)  
+-   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)  
+-   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
new file mode 100644
index 0000000000..2a09f78ddf
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -0,0 +1,86 @@
+---
+title: Policy CSP - Desktop
+description: Policy CSP - Desktop
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Desktop
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Desktop policies  
+
+<!--StartPolicy-->
+<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Prevents users from changing the path to their profile folders.
+
+By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
+
+If you enable this setting, users are unable to type a new location in the Target box.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prohibit User from manually redirecting Profile Folders*
+-   GP name: *DisablePersonalDirChange*
+-   GP ADMX file name: *desktop.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Desktop policies supported by Microsoft Surface Hub  
+
+-   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
new file mode 100644
index 0000000000..f104ff82b3
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -0,0 +1,148 @@
+---
+title: Policy CSP - DeviceGuard
+description: Policy CSP - DeviceGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DeviceGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DeviceGuard policies  
+
+<!--StartPolicy-->
+<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+ 
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
+<ul>
+<li>0 (default) - disable virtualization based security</li>
+<li>1 - enable virtualization based security</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+ 
+<p style="margin-left: 20px">Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
+<ul>
+<li>0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock</li>
+<li>1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock</li>
+<li>2 - (Enabled without lock) Turns on Credential Guard without UEFI lock</li>
+
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
+<ul>
+<li>1 (default) - Turns on VBS with Secure Boot. </li>
+<li>3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.</li>
+</ul>
+ 
+<p style="margin-left: 20px">
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>DeviceGuard policies supported by Microsoft Surface Hub  
+
+-   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
new file mode 100644
index 0000000000..4f4b4d25d5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -0,0 +1,129 @@
+---
+title: Policy CSP - DeviceInstallation
+description: Policy CSP - DeviceInstallation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DeviceInstallation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DeviceInstallation policies  
+
+<!--StartPolicy-->
+<a href="" id="deviceinstallation-preventinstallationofmatchingdeviceids"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent installation of devices that match any of these device IDs*
+-   GP name: *DeviceInstall_IDs_Deny*
+-   GP ADMX file name: *deviceinstallation.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent installation of devices using drivers that match these device setup classes*
+-   GP name: *DeviceInstall_Classes_Deny*
+-   GP ADMX file name: *deviceinstallation.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
new file mode 100644
index 0000000000..8ac0f11942
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -0,0 +1,849 @@
+---
+title: Policy CSP - DeviceLock
+description: Policy CSP - DeviceLock
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - DeviceLock
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## DeviceLock policies  
+
+<!--StartPolicy-->
+<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+ 
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+> [!IMPORTANT]
+> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Alphanumeric PIN or password required.
+-   1 – Numeric PIN or password required.
+-   2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
+
+> [!NOTE]
+> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
+>
+> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
+
+ 
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether device lock is enabled.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+ 
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Enabled
+-   1 – Disabled
+
+> [!IMPORTANT]
+> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
+>
+> -   AllowSimpleDevicePassword
+> -   MinDevicePasswordLength
+> -   AlphanumericDevicePasswordRequired
+> -   MaxDevicePasswordFailedAttempts
+> -   MaxInactivityTimeDeviceLock
+> -   MinDevicePasswordComplexCharacters
+&nbsp;
+
+> [!IMPORTANT]
+> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
+>
+> -   MinDevicePasswordLength is set to 4
+> -   MinDevicePasswordComplexCharacters is set to 1
+>
+> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
+>
+> -   MinDevicePasswordLength
+> -   MinDevicePasswordComplexCharacters
+
+> [!Important]
+> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
+> - **DevicePasswordEnabled** is the parent policy of the following:
+> 	- AllowSimpleDevicePassword
+>	- MinDevicePasswordLength
+>	- AlphanumericDevicePasswordRequired
+>		- MinDevicePasswordComplexCharacters 
+>	- DevicePasswordExpiration
+>	- DevicePasswordHistory
+>   - MaxDevicePasswordFailedAttempts
+>   - MaxInactivityTimeDeviceLock
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies when the password expires (in days).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 0 &lt;= X &lt;= 730.
+-   0 (default) - Passwords do not expire.
+
+<p style="margin-left: 20px">If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies how many passwords can be stored in the history that can’t be used.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 0 &lt;= X &lt;= 50.
+-   0 (default)
+
+<p style="margin-left: 20px">The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+<p style="margin-left: 20px">Max policy value is the most restricted.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-enforcelockscreenandlogonimage"></a>**DeviceLock/EnforceLockScreenAndLogonImage**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
+
+
+<p style="margin-left: 20px">Value type is a string, which is the full image filepath and filename.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-enforcelockscreenprovider"></a>**DeviceLock/EnforceLockScreenProvider**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for mobile devices.
+
+
+<p style="margin-left: 20px">Value type is a string, which is the AppID.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">This policy has different behaviors on the mobile device and desktop.
+
+-   On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
+-   On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
+
+    Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 4 &lt;= X &lt;= 16 for desktop and 0 &lt;= X &lt;= 999 for mobile devices.
+-   0 (default) - The device is never wiped after an incorrect PIN or password is entered.
+
+<p style="margin-left: 20px">Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 0 &lt;= X &lt;= 999.
+-   0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay"></a>**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 0 &lt;= X &lt;= 999.
+-   0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+
+<p style="margin-left: 20px">PIN enforces the following behavior for desktop and mobile devices:
+
+-   1 - Digits only
+-   2 - Digits and lowercase letters are required
+-   3 - Digits, lowercase letters, and uppercase letters are required
+-   4 - Digits, lowercase letters, uppercase letters, and special characters are required
+
+<p style="margin-left: 20px">The default value is 1. The following list shows the supported values and actual enforced values:
+
+<table style="margin-left: 20px">
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Account Type</th>
+<th>Supported Values</th>
+<th>Actual Enforced Values</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top"><p>Mobile</p></td>
+<td style="vertical-align:top"><p>1,2,3,4</p></td>
+<td style="vertical-align:top"><p>Same as the value set</p></td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p>Desktop Local Accounts</p></td>
+<td style="vertical-align:top"><p> 1,2,3</p></td>
+<td style="vertical-align:top"><p>3</p></td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top"><p>Desktop Microsoft Accounts</p></td>
+<td style="vertical-align:top"><p>1,2</p></td>
+<td style="vertical-align:top"><p2</p></td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p>Desktop Domain Accounts</p></td>
+<td style="vertical-align:top"><p>Not supported</p></td>
+<td style="vertical-align:top">Not supported</p></td>
+</tr>
+</tbody>
+</table>
+
+
+<p style="margin-left: 20px">Enforced values for Local and Microsoft Accounts:
+
+-   Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
+-   Passwords for local accounts must meet the following minimum requirements:
+
+    -   Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+    -   Be at least six characters in length
+    -   Contain characters from three of the following four categories:
+
+        -   English uppercase characters (A through Z)
+        -   English lowercase characters (a through z)
+        -   Base 10 digits (0 through 9)
+        -   Special characters (!, $, \#, %, etc.)
+
+<p style="margin-left: 20px">The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies the minimum number or characters required in the PIN or password.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   An integer X where 4 &lt;= X &lt;= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
+-   Not enforced.
+-   The default value is 4 for mobile devices and desktop devices.
+
+<p style="margin-left: 20px">Max policy value is the most restricted.
+
+<p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
+
+By default, users can enable a slide show that will run after they lock the machine.
+
+If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent enabling lock screen slide show*
+-   GP name: *CPL_Personalization_NoLockScreenSlideshow*
+-   GP ADMX file name: *ControlPanelDisplay.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="devicelock-screentimeoutwhilelocked"></a>**DeviceLock/ScreenTimeoutWhileLocked**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+ 
+<p style="margin-left: 20px">Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+<p style="margin-left: 20px">Minimum supported value is 10.
+
+<p style="margin-left: 20px">Maximum supported value is 1800.
+
+<p style="margin-left: 20px">The default value is 10.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>DeviceLock policies that can be set using Exchange Active Sync (EAS)  
+
+-   [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)  
+-   [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)  
+-   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)  
+-   [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)  
+-   [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)  
+-   [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)  
+-   [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)  
+-   [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)  
+-   [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)  
+-   [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>DeviceLock policies supported by Windows Holographic for Business  
+
+-   [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)  
+-   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)  
+<!--EndHoloLens-->
+
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
new file mode 100644
index 0000000000..c10d926963
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -0,0 +1,119 @@
+---
+title: Policy CSP - Display
+description: Policy CSP - Display
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Display
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Display policies  
+
+<!--StartPolicy-->
+<a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
+
+<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
+
+<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
+2.   Run the app and observe blurry text.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+<p style="margin-left: 20px">This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
+
+<p style="margin-left: 20px">If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+
+<p style="margin-left: 20px">If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Configure the setting for an app which uses GDI.
+2.   Run the app and observe crisp text.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
new file mode 100644
index 0000000000..a1912d6edc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -0,0 +1,133 @@
+---
+title: Policy CSP - Education
+description: Policy CSP - Education
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/27/2017
+---
+
+# Policy CSP - Education
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Education policies  
+
+<!--StartPolicy-->
+<a href="" id="education-defaultprintername"></a>**Education/DefaultPrinterName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer. 
+
+The policy value is expected to be the name (network host name) of an installed printer.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="education-preventaddingnewprinters"></a>**Education/PreventAddingNewPrinters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
+
+The following list shows the supported values:
+
+-   0 (default) – Allow user installation.
+-   1 – Prevent user installation.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="education-printernames"></a>**Education/PrinterNames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
+
+The policy value is expected to be a ```&#xF000;``` seperated list of printer names.  The OS will attempt to search and install the matching printer driver for each listed printer.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
new file mode 100644
index 0000000000..7b33c7e5b4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -0,0 +1,241 @@
+---
+title: Policy CSP - EnterpriseCloudPrint
+description: Policy CSP - EnterpriseCloudPrint
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - EnterpriseCloudPrint
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## EnterpriseCloudPrint policies  
+
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-cloudprintoauthauthority"></a>**EnterpriseCloudPrint/CloudPrintOAuthAuthority**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.  This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is a string.
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//azuretenant.contoso.com/adfs".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-cloudprintoauthclientid"></a>**EnterpriseCloudPrint/CloudPrintOAuthClientId**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is a string.
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-cloudprintresourceid"></a>**EnterpriseCloudPrint/CloudPrintResourceId**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is a string. 
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MicrosoftEnterpriseCloudPrint/CloudPrint".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-cloudprinterdiscoveryendpoint"></a>**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is a string.
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//cloudprinterdiscovery.contoso.com".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-discoverymaxprinterlimit"></a>**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is an integer. 
+
+<p style="margin-left: 20px">For Windows Mobile, the default value is 20.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="enterprisecloudprint-mopriadiscoveryresourceid"></a>**EnterpriseCloudPrint/MopriaDiscoveryResourceId**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
+
+<p style="margin-left: 20px">The datatype is a string.
+
+<p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MopriaDiscoveryService/CloudPrint".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
new file mode 100644
index 0000000000..800c8ac975
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -0,0 +1,290 @@
+---
+title: Policy CSP - ErrorReporting
+description: Policy CSP - ErrorReporting
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - ErrorReporting
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## ErrorReporting policies  
+
+<!--StartPolicy-->
+<a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
+
+If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
+
+- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
+
+- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
+
+- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
+
+- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
+
+- 4 (Send all data): Any data requested by Microsoft is sent automatically.
+
+If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Customize consent settings*
+-   GP name: *WerConsentCustomize_2*
+-   GP ADMX file name: *ErrorReporting.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="errorreporting-disablewindowserrorreporting"></a>**ErrorReporting/DisableWindowsErrorReporting**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
+
+If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
+
+If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disable Windows Error Reporting*
+-   GP name: *WerDisable_2*
+-   GP ADMX file name: *ErrorReporting.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="errorreporting-displayerrornotification"></a>**ErrorReporting/DisplayErrorNotification**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether users are shown an error dialog box that lets them report an error.
+
+If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
+
+If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
+
+If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
+
+See also the Configure Error Reporting policy setting.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Display Error Notification*
+-   GP name: *PCH_ShowUI*
+-   GP ADMX file name: *ErrorReporting.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="errorreporting-donotsendadditionaldata"></a>**ErrorReporting/DoNotSendAdditionalData**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
+
+If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
+
+If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not send additional data*
+-   GP name: *WerNoSecondLevelData_2*
+-   GP ADMX file name: *ErrorReporting.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="errorreporting-preventcriticalerrordisplay"></a>**ErrorReporting/PreventCriticalErrorDisplay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents the display of the user interface for critical errors.
+
+If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
+
+If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent display of the user interface for critical errors*
+-   GP name: *WerDoNotShowUI*
+-   GP ADMX file name: *ErrorReporting.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
new file mode 100644
index 0000000000..a1f5c9527e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -0,0 +1,229 @@
+---
+title: Policy CSP - EventLogService
+description: Policy CSP - EventLogService
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - EventLogService
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## EventLogService policies  
+
+<!--StartPolicy-->
+<a href="" id="eventlogservice-controleventlogbehavior"></a>**EventLogService/ControlEventLogBehavior**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+
+If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Control Event Log behavior when the log file reaches its maximum size*
+-   GP name: *Channel_Log_Retention_1*
+-   GP ADMX file name: *eventlog.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="eventlogservice-specifymaximumfilesizeapplicationlog"></a>**EventLogService/SpecifyMaximumFileSizeApplicationLog**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the maximum log file size (KB)*
+-   GP name: *Channel_LogMaxSize_1*
+-   GP ADMX file name: *eventlog.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="eventlogservice-specifymaximumfilesizesecuritylog"></a>**EventLogService/SpecifyMaximumFileSizeSecurityLog**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the maximum log file size (KB)*
+-   GP name: *Channel_LogMaxSize_2*
+-   GP ADMX file name: *eventlog.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="eventlogservice-specifymaximumfilesizesystemlog"></a>**EventLogService/SpecifyMaximumFileSizeSystemLog**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the maximum log file size (KB)*
+-   GP name: *Channel_LogMaxSize_4*
+-   GP ADMX file name: *eventlog.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
new file mode 100644
index 0000000000..c69b113a36
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -0,0 +1,823 @@
+---
+title: Policy CSP - Experience
+description: Policy CSP - Experience
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Experience
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Experience policies  
+
+<!--StartPolicy-->
+<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Specifies whether copy and paste is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">Benefit to the customer:
+
+<p style="margin-left: 20px">Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
+
+<p style="margin-left: 20px">Sample scenario:
+
+<p style="margin-left: 20px">An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows users to turn on/off device discovery UX.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy turns on Find My Device.
+
+<p style="margin-left: 20px">When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
+
+<p style="margin-left: 20px">When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow the user to delete the workplace account using the workplace control panel.
+
+> [!NOTE]
+> The MDM server can always remotely delete the account.
+
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies whether to display dialog prompt when no SIM card is detected.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – SIM card dialog prompt is not displayed.
+-   1 (default) – SIM card dialog prompt is displayed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies whether screen capture is allowed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Sync settings is not allowed.
+-   1 (default) – Sync settings allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+
+<p style="margin-left: 20px">Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
+
+> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows or disallows task switching on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Task switching not allowed.
+-   1 (default) – Task switching allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+
+
+<p style="margin-left: 20px">Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Third-party suggestions not allowed.
+-   1 (default) – Third-party suggestions allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies whether voice recording is allowed for apps.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> -   **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
+
+ 
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
+
+
+<p style="margin-left: 20px">Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. 
+The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enables or disables Windows Tips / soft landing.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disabled.
+-   1 (default) – Enabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
+
+
+<p style="margin-left: 20px">Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – None.
+-   1 (default) – Windows spotlight enabled.
+-   2 – placeholder only for future extension. Using this value has no effect.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Prevents devices from showing feedback questions from Microsoft.
+
+<p style="margin-left: 20px">If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
+-   1 – Feedback notifications are disabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Experience policies supported by Windows Holographic for Business  
+
+-   [Experience/AllowCortana](#experience-allowcortana)  
+-   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
+<!--EndHoloLens-->
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
new file mode 100644
index 0000000000..5cb47e7195
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -0,0 +1,42 @@
+---
+title: Policy CSP - Games
+description: Policy CSP - Games
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Games
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Games policies  
+
+<!--StartPolicy-->
+<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
+
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Placeholder only. Currently not supported.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
new file mode 100644
index 0000000000..b5377f7a59
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -0,0 +1,12119 @@
+---
+title: Policy CSP - InternetExplorer
+description: Policy CSP - InternetExplorer
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/16/2017
+---
+
+# Policy CSP - InternetExplorer
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## InternetExplorer policies  
+
+<!--StartPolicy-->
+<a href="" id="internetexplorer-addsearchprovider"></a>**InternetExplorer/AddSearchProvider**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
+
+If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+
+If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Add a specific list of search providers to the user's list of search providers*
+-   GP name: *AddSearchProvider*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowactivexfiltering"></a>**InternetExplorer/AllowActiveXFiltering**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
+
+If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
+
+If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on ActiveX Filtering*
+-   GP name: *TurnOnActiveXFiltering*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowaddonlist"></a>**InternetExplorer/AllowAddOnList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
+
+This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
+
+If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
+
+Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list.  The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+
+Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
+
+If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Add-on List*
+-   GP name: *AddonManagement_AddOnList*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowautocomplete"></a>**InternetExplorer/AllowAutoComplete**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on the auto-complete feature for user names and passwords on forms*
+-   GP name: *RestrictFormSuggestPW*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowcertificateaddressmismatchwarning"></a>**InternetExplorer/AllowCertificateAddressMismatchWarning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on certificate address mismatch warning*
+-   GP name: *IZ_PolicyWarnCertMismatch*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowdeletingbrowsinghistoryonexit"></a>**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow deleting browsing history on exit*
+-   GP name: *DBHDisableDeleteOnExit*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowenhancedprotectedmode"></a>**InternetExplorer/AllowEnhancedProtectedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
+
+If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
+
+If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
+
+If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Enhanced Protected Mode*
+-   GP name: *Advanced_EnableEnhancedProtectedMode*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowenterprisemodefromtoolsmenu"></a>**InternetExplorer/AllowEnterpriseModeFromToolsMenu**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
+
+If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
+
+If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
+-   GP name: *EnterpriseModeEnable*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowenterprisemodesitelist"></a>**InternetExplorer/AllowEnterpriseModeSiteList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
+
+If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
+
+If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Use the Enterprise Mode IE website list*
+-   GP name: *EnterpriseModeSiteList*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowfallbacktossl3"></a>**InternetExplorer/AllowFallbackToSSL3**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)*
+-   GP name: *Advanced_EnableSSL3Fallback*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowinternetexplorer7policylist"></a>**InternetExplorer/AllowInternetExplorer7PolicyList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
+
+If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
+
+If you disable or do not configure this policy setting, the user can add and remove sites from the list.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Use Policy List of Internet Explorer 7 sites*
+-   GP name: *CompatView_UsePolicyList*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowinternetexplorerstandardsmode"></a>**InternetExplorer/AllowInternetExplorerStandardsMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
+
+If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
+
+If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
+
+If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
+-   GP name: *CompatView_IntranetSites*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowinternetzonetemplate"></a>**InternetExplorer/AllowInternetZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Internet Zone Template*
+-   GP name: *IZ_PolicyInternetZoneTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowintranetzonetemplate"></a>**InternetExplorer/AllowIntranetZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Intranet Zone Template*
+-   GP name: *IZ_PolicyIntranetZoneTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowlocalmachinezonetemplate"></a>**InternetExplorer/AllowLocalMachineZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Local Machine Zone Template*
+-   GP name: *IZ_PolicyLocalMachineZoneTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowlockeddowninternetzonetemplate"></a>**InternetExplorer/AllowLockedDownInternetZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Locked-Down Internet Zone Template*
+-   GP name: *IZ_PolicyInternetZoneLockdownTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowlockeddownintranetzonetemplate"></a>**InternetExplorer/AllowLockedDownIntranetZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Locked-Down Intranet Zone Template*
+-   GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowlockeddownlocalmachinezonetemplate"></a>**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Locked-Down Local Machine Zone Template*
+-   GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowlockeddownrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Locked-Down Restricted Sites Zone Template*
+-   GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowonewordentry"></a>**InternetExplorer/AllowOneWordEntry**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
+
+If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
+
+If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Go to an intranet site for a one-word entry in the Address bar*
+-   GP name: *UseIntranetSiteForOneWordEntry*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowsitetozoneassignmentlist"></a>**InternetExplorer/AllowSiteToZoneAssignmentList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
+
+Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
+
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+
+Valuename  A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+
+Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
+
+If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Site to Zone Assignment List*
+-   GP name: *IZ_Zonemaps*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowsoftwarewhensignatureisinvalid"></a>**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow software to run or install even if the signature is invalid*
+-   GP name: *Advanced_InvalidSignatureBlock*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowsuggestedsites"></a>**InternetExplorer/AllowSuggestedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
+
+If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
+
+If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
+
+If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Suggested Sites*
+-   GP name: *EnableSuggestedSites*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowtrustedsiteszonetemplate"></a>**InternetExplorer/AllowTrustedSitesZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Trusted Sites Zone Template*
+-   GP name: *IZ_PolicyTrustedSitesZoneTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowslockeddowntrustedsiteszonetemplate"></a>**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Locked-Down Trusted Sites Zone Template*
+-   GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-allowsrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowsRestrictedSitesZoneTemplate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Restricted Sites Zone Template*
+-   GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-checkservercertificaterevocation"></a>**InternetExplorer/CheckServerCertificateRevocation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Check for server certificate revocation*
+-   GP name: *Advanced_CertificateRevocation*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-checksignaturesondownloadedprograms"></a>**InternetExplorer/CheckSignaturesOnDownloadedPrograms**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Check for signatures on downloaded programs*
+-   GP name: *Advanced_DownloadSignatures*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses"></a>**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Internet Explorer Processes*
+-   GP name: *IESF_PolicyExplorerProcesses_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableadobeflash"></a>**InternetExplorer/DisableAdobeFlash**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
+
+If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
+
+If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
+
+Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
+-   GP name: *DisableFlashInIE*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableblockingofoutdatedactivexcontrols"></a>**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+-   GP name: *VerMgmtDisable*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablebypassofsmartscreenwarnings"></a>**InternetExplorer/DisableBypassOfSmartScreenWarnings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
+
+If you enable this policy setting, SmartScreen Filter warnings block the user.
+
+If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent bypassing SmartScreen Filter warnings*
+-   GP name: *DisableSafetyFilterOverride*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles"></a>**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
+
+If you enable this policy setting, SmartScreen Filter warnings block the user.
+
+If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
+-   GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableconfiguringhistory"></a>**InternetExplorer/DisableConfiguringHistory**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disable "Configuring History"*
+-   GP name: *RestrictHistory*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablecrashdetection"></a>**InternetExplorer/DisableCrashDetection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off Crash Detection*
+-   GP name: *AddonManagement_RestrictCrashDetection*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation"></a>**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
+
+If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
+
+If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
+
+If you do not configure this policy setting, the user can choose to participate in the CEIP.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent participation in the Customer Experience Improvement Program*
+-   GP name: *SQM_DisableCEIP*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disabledeletinguservisitedwebsites"></a>**InternetExplorer/DisableDeletingUserVisitedWebsites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent deleting websites that the user has visited*
+-   GP name: *DBHDisableDeleteHistory*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableenclosuredownloading"></a>**InternetExplorer/DisableEnclosureDownloading**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
+
+If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
+
+If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent downloading of enclosures*
+-   GP name: *Disable_Downloading_of_Enclosures*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableencryptionsupport"></a>**InternetExplorer/DisableEncryptionSupport**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
+
+If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
+
+If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
+
+Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off encryption support*
+-   GP name: *Advanced_SetWinInetProtocols*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablefirstrunwizard"></a>**InternetExplorer/DisableFirstRunWizard**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
+
+If you enable this policy setting, you must make one of the following choices:
+Skip the First Run wizard, and go directly to the user's home page.
+Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
+
+Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
+
+If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent running First Run wizard*
+-   GP name: *NoFirstRunCustomise*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableflipaheadfeature"></a>**InternetExplorer/DisableFlipAheadFeature**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
+
+Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
+
+If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
+
+If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
+
+If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off the flip ahead with page prediction feature*
+-   GP name: *Advanced_DisableFlipAhead*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablehomepagechange"></a>**InternetExplorer/DisableHomePageChange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
+
+If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
+
+If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disable changing home page settings*
+-   GP name: *RestrictHomePage*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableignoringcertificateerrors"></a>**InternetExplorer/DisableIgnoringCertificateErrors**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent ignoring certificate errors*
+-   GP name: *NoCertError*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableinprivatebrowsing"></a>**InternetExplorer/DisableInPrivateBrowsing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off InPrivate Browsing*
+-   GP name: *DisableInPrivateBrowsing*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableprocessesinenhancedprotectedmode"></a>**InternetExplorer/DisableProcessesInEnhancedProtectedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
+-   GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableproxychange"></a>**InternetExplorer/DisableProxyChange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies if a user can change proxy settings.
+
+If you enable this policy setting, the user will not be able to configure proxy settings.
+
+If you disable or do not configure this policy setting, the user can configure proxy settings.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent changing proxy settings*
+-   GP name: *RestrictProxy*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablesearchproviderchange"></a>**InternetExplorer/DisableSearchProviderChange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
+
+If you enable this policy setting, the user cannot change the default search provider.
+
+If you disable or do not configure this policy setting, the user can change the default search provider.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent changing the default search provider*
+-   GP name: *NoSearchProvider*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablesecondaryhomepagechange"></a>**InternetExplorer/DisableSecondaryHomePageChange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
+
+If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
+
+If you disable or do not configure this policy setting, the user can add secondary home pages.
+
+Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disable changing secondary home page settings*
+-   GP name: *SecondaryHomePages*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disablesecuritysettingscheck"></a>**InternetExplorer/DisableSecuritySettingsCheck**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off the Security Settings Check feature*
+-   GP name: *Disable_Security_Settings_Check*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-disableupdatecheck"></a>**InternetExplorer/DisableUpdateCheck**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Prevents Internet Explorer from checking whether a new version of the browser is available.
+
+If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
+
+If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.
+
+This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disable Periodic Check for Internet Explorer software updates*
+-   GP name: *NoUpdateCheck*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-donotallowactivexcontrolsinprotectedmode"></a>**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
+-   GP name: *Advanced_DisableEPMCompat*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-donotallowuserstoaddsites"></a>**InternetExplorer/DoNotAllowUsersToAddSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
+
+If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.
+
+This policy prevents users from changing site management settings for security zones established by the administrator.
+
+Note:  The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
+
+Also, see the "Security zones: Use only machine settings" policy.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Security Zones: Do not allow users to add/delete sites*
+-   GP name: *Security_zones_map_edit*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-donotallowuserstochangepolicies"></a>**InternetExplorer/DoNotAllowUsersToChangePolicies**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
+
+If you disable this policy or do not configure it, users can change the settings for security zones.
+
+This policy prevents users from changing security zone settings established by the administrator.
+
+Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
+
+Also, see the "Security zones: Use only machine settings" policy.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Security Zones: Do not allow users to change policies*
+-   GP name: *Security_options_edit*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-donotblockoutdatedactivexcontrols"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
+
+If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
+
+If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+-   GP name: *VerMgmtDisable*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
+
+If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
+
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+2. "hostname". For example, if you want to include http://example, use "example"
+3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
+
+If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
+-   GP name: *VerMgmtDomainAllowlist*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
+
+If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
+
+If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
+
+If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
+-   GP name: *IZ_IncludeUnspecifiedLocalSites*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-includeallnetworkpaths"></a>**InternetExplorer/IncludeAllNetworkPaths**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
+
+If you enable this policy setting, all network paths are mapped into the Intranet Zone.
+
+If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
+
+If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Intranet Sites: Include all network paths (UNCs)*
+-   GP name: *IZ_UNCAsIntranet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowaccesstodatasources"></a>**InternetExplorer/InternetZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowcopypasteviascript"></a>**InternetExplorer/InternetZoneAllowCopyPasteViaScript**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+-   GP name: *IZ_PolicyAllowPasteViaScript_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowdraganddropcopyandpastefiles"></a>**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow drag and drop or copy and paste files*
+-   GP name: *IZ_PolicyDropOrPasteFiles_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowfontdownloads"></a>**InternetExplorer/InternetZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowlessprivilegedsites"></a>**InternetExplorer/InternetZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowloadingofxamlfiles"></a>**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow loading of XAML files*
+-   GP name: *IZ_Policy_XAML_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
+-   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol"></a>**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow only approved domains to use the TDC ActiveX control*
+-   GP name: *IZ_PolicyAllowTDCControl_Both_Internet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowscriptinitiatedwindows"></a>**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow script-initiated windows without size or position constraints*
+-   GP name: *IZ_PolicyWindowsRestrictionsURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols"></a>**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+-   GP name: *IZ_Policy_WebBrowserControl_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowscriptlets"></a>**InternetExplorer/InternetZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowsmartscreenie"></a>**InternetExplorer/InternetZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowupdatestostatusbarviascript"></a>**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow updates to status bar via script*
+-   GP name: *IZ_Policy_ScriptStatusBar_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneallowuserdatapersistence"></a>**InternetExplorer/InternetZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonedownloadsignedactivexcontrols"></a>**InternetExplorer/InternetZoneDownloadSignedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Download signed ActiveX controls*
+-   GP name: *IZ_PolicyDownloadSignedActiveX_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonedownloadunsignedactivexcontrols"></a>**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Download unsigned ActiveX controls*
+-   GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneenablecrosssitescriptingfilter"></a>**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Cross-Site Scripting Filter*
+-   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable dragging of content from different domains across windows*
+-   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows"></a>**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable dragging of content from different domains within a window*
+-   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneenablemimesniffing"></a>**InternetExplorer/InternetZoneEnableMIMESniffing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable MIME Sniffing*
+-   GP name: *IZ_PolicyMimeSniffingURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneenableprotectedmode"></a>**InternetExplorer/InternetZoneEnableProtectedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Protected Mode*
+-   GP name: *IZ_Policy_TurnOnProtectedMode_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver"></a>**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Include local path when user is uploading files to a server*
+-   GP name: *IZ_Policy_LocalPathForUpload_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonejavapermissions"></a>**InternetExplorer/InternetZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonelaunchingapplicationsandfilesiniframe"></a>**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Launching applications and files in an IFRAME*
+-   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonelogonoptions"></a>**InternetExplorer/InternetZoneLogonOptions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Logon options*
+-   GP name: *IZ_PolicyLogon_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonenavigatewindowsandframes"></a>**InternetExplorer/InternetZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonerunnetframeworkreliantcomponentsnotsignedwithauthenticode"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode"></a>**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+-   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles"></a>**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Show security warning for potentially unsafe files*
+-   GP name: *IZ_Policy_UnsafeFiles_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzoneusepopupblocker"></a>**InternetExplorer/InternetZoneUsePopupBlocker**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Use Pop-up Blocker*
+-   GP name: *IZ_PolicyBlockPopupWindows_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-internetzonewebsitesinlessprivilegedzonescannavigateintothiszone"></a>**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_1*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowaccesstodatasources"></a>**InternetExplorer/IntranetZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowfontdownloads"></a>**InternetExplorer/IntranetZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowlessprivilegedsites"></a>**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowscriptlets"></a>**InternetExplorer/IntranetZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowsmartscreenie"></a>**InternetExplorer/IntranetZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneallowuserdatapersistence"></a>**InternetExplorer/IntranetZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzonejavapermissions"></a>**InternetExplorer/IntranetZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-intranetzonenavigatewindowsandframes"></a>**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowfontdownloads"></a>**InternetExplorer/LocalMachineZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowscriptlets"></a>**InternetExplorer/LocalMachineZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowsmartscreenie"></a>**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezonejavapermissions"></a>**InternetExplorer/LocalMachineZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-localmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowscriptlets"></a>**InternetExplorer/LockedDownInternetZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzonejavapermissions"></a>**InternetExplorer/LockedDownInternetZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowscriptlets"></a>**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownintranetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowfontdownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowscriptlets"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezonejavapermissions"></a>**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszonejavapermissions"></a>**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
+
+If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszonejavapermissions"></a>**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses"></a>**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Internet Explorer Processes*
+-   GP name: *IESF_PolicyExplorerProcesses_3*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses"></a>**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Internet Explorer Processes*
+-   GP name: *IESF_PolicyExplorerProcesses_6*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-notificationbarinternetexplorerprocesses"></a>**InternetExplorer/NotificationBarInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Internet Explorer Processes*
+-   GP name: *IESF_PolicyExplorerProcesses_10*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-preventmanagingsmartscreenfilter"></a>**InternetExplorer/PreventManagingSmartScreenFilter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent managing SmartScreen Filter*
+-   GP name: *Disable_Managing_Safety_Filter_IE9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-preventperuserinstallationofactivexcontrols"></a>**InternetExplorer/PreventPerUserInstallationOfActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Prevent per-user installation of ActiveX controls*
+-   GP name: *DisablePerUserActiveXInstall*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-protectionfromzoneelevationinternetexplorerprocesses"></a>**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *All Processes*
+-   GP name: *IESF_PolicyAllProcesses_9*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols"></a>**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
+-   GP name: *VerMgmtDisableRunThisTime*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses"></a>**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *All Processes*
+-   GP name: *IESF_PolicyAllProcesses_11*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictfiledownloadinternetexplorerprocesses"></a>**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *All Processes*
+-   GP name: *IESF_PolicyAllProcesses_12*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowactivescripting"></a>**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow active scripting*
+-   GP name: *IZ_PolicyActiveScripting_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors"></a>**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow binary and script behaviors*
+-   GP name: *IZ_PolicyBinaryBehaviors_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowcopypasteviascript"></a>**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+-   GP name: *IZ_PolicyAllowPasteViaScript_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles"></a>**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow drag and drop or copy and paste files*
+-   GP name: *IZ_PolicyDropOrPasteFiles_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowfiledownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow file downloads*
+-   GP name: *IZ_PolicyFileDownload_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowloadingofxamlfiles"></a>**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow loading of XAML files*
+-   GP name: *IZ_Policy_XAML_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowmetarefresh"></a>**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow META REFRESH*
+-   GP name: *IZ_PolicyAllowMETAREFRESH_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow only approved domains to use ActiveX controls without prompt*
+-   GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol"></a>**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow only approved domains to use the TDC ActiveX control*
+-   GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow script-initiated windows without size or position constraints*
+-   GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+-   GP name: *IZ_Policy_WebBrowserControl_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowscriptlets"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript"></a>**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow updates to status bar via script*
+-   GP name: *IZ_Policy_ScriptStatusBar_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Download signed ActiveX controls*
+-   GP name: *IZ_PolicyDownloadSignedActiveX_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Download unsigned ActiveX controls*
+-   GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter"></a>**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Cross-Site Scripting Filter*
+-   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable dragging of content from different domains across windows*
+-   GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows"></a>**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable dragging of content from different domains within a window*
+-   GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneenablemimesniffing"></a>**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable MIME Sniffing*
+-   GP name: *IZ_PolicyMimeSniffingURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver"></a>**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Include local path when user is uploading files to a server*
+-   GP name: *IZ_Policy_LocalPathForUpload_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonejavapermissions"></a>**InternetExplorer/RestrictedSitesZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe"></a>**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Launching applications and files in an IFRAME*
+-   GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonelogonoptions"></a>**InternetExplorer/RestrictedSitesZoneLogonOptions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Logon options*
+-   GP name: *IZ_PolicyLogon_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
+
+If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframesacrossdomains"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins"></a>**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run ActiveX controls and plugins*
+-   GP name: *IZ_PolicyRunActiveXControls_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode"></a>**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+-   GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting"></a>**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Script ActiveX controls marked safe for scripting*
+-   GP name: *IZ_PolicyScriptActiveXMarkedSafe_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszonescriptingofjavaapplets"></a>**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Scripting of Java applets*
+-   GP name: *IZ_PolicyScriptingOfJavaApplets_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles"></a>**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Show security warning for potentially unsafe files*
+-   GP name: *IZ_Policy_UnsafeFiles_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneturnoncrosssitescriptingfilter"></a>**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Cross-Site Scripting Filter*
+-   GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneturnonprotectedmode"></a>**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on Protected Mode*
+-   GP name: *IZ_Policy_TurnOnProtectedMode_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-restrictedsiteszoneusepopupblocker"></a>**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Use Pop-up Blocker*
+-   GP name: *IZ_PolicyBlockPopupWindows_7*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses"></a>**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *All Processes*
+-   GP name: *IESF_PolicyAllProcesses_8*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-searchproviderlist"></a>**InternetExplorer/SearchProviderList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
+
+If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+
+If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Restrict search providers to a specific list*
+-   GP name: *SpecificSearchProvider*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-securityzonesuseonlymachinesettings"></a>**InternetExplorer/SecurityZonesUseOnlyMachineSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Security Zones: Use only machine settings *
+-   GP name: *Security_HKLM_only*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-specifyuseofactivexinstallerservice"></a>**InternetExplorer/SpecifyUseOfActiveXInstallerService**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
+-   GP name: *OnlyUseAXISForActiveXInstall*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Access data sources across domains*
+-   GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for ActiveX controls*
+-   GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Automatic prompting for file downloads*
+-   GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowfontdownloads"></a>**InternetExplorer/TrustedSitesZoneAllowFontDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow font downloads*
+-   GP name: *IZ_PolicyFontDownload_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+-   GP name: *IZ_PolicyZoneElevationURLaction_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+-   GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowscriptlets"></a>**InternetExplorer/TrustedSitesZoneAllowScriptlets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow scriptlets*
+-   GP name: *IZ_Policy_AllowScriptlets_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on SmartScreen Filter scan*
+-   GP name: *IZ_Policy_Phishing_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Userdata persistence*
+-   GP name: *IZ_PolicyUserdataPersistence_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonedontrunantimalwareprogramsagainstactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Don't run antimalware programs against ActiveX controls*
+-   GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedassafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrolsnotmarkedsafe"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Initialize and script ActiveX controls not marked as safe*
+-   GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonejavapermissions"></a>**InternetExplorer/TrustedSitesZoneJavaPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Java permissions*
+-   GP name: *IZ_PolicyJavaPermissions_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="internetexplorer-trustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Navigate windows and frames across different domains*
+-   GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
+-   GP ADMX file name: *inetres.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
new file mode 100644
index 0000000000..801ebc1f70
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -0,0 +1,283 @@
+---
+title: Policy CSP - Kerberos
+description: Policy CSP - Kerberos
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Kerberos
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Kerberos policies  
+
+<!--StartPolicy-->
+<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+
+If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
+
+If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Use forest search order*
+-   GP name: *ForestSearch*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+
+If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
+-   GP name: *EnableCbacAndArmor*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
+
+Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
+
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+
+If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Fail authentication requests when Kerberos armoring is not available*
+-   GP name: *ClientRequireFast*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
+
+If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
+
+If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Require strict KDC validation*
+-   GP name: *ValidateKDC*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
+
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
+
+If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
+
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+
+Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set maximum Kerberos SSPI context token buffer size*
+-   GP name: *MaxTokenSize*
+-   GP ADMX file name: *Kerberos.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
new file mode 100644
index 0000000000..192795ada2
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -0,0 +1,103 @@
+---
+title: Policy CSP - Licensing
+description: Policy CSP - Licensing
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Licensing
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Licensing policies  
+
+<!--StartPolicy-->
+<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disable Windows license reactivation on managed devices.
+-   1 (default) – Enable Windows license reactivation on managed devices.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Disabled.
+-   1 – Enabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
new file mode 100644
index 0000000000..62c962b525
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -0,0 +1,1197 @@
+---
+title: Policy CSP - LocalPoliciesSecurityOptions
+description: Policy CSP - LocalPoliciesSecurityOptions
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/04/2017
+---
+
+# Policy CSP - LocalPoliciesSecurityOptions
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## LocalPoliciesSecurityOptions policies  
+
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users cannot add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
+
+Valid values:  
+- 0 - disabled (users will be able to use Microsoft accounts with Windows)
+- 1 - enabled (users cannot add Microsoft accounts)
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines whether the local Administrator account is enabled or disabled.
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Administrator account is disabled
+- 1 - local Administrator account is enabled
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+Valid values:  
+- 0 - local Guest account is disabled
+- 1 - local Guest account is enabled
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+Valid values:  
+- 0 -  disabled - local accounts that are not password protected can be used to log on from locations other than the physical computer console
+- 1 -  enabled - local accounts that are not password protected will only be able to log on at the computer's keyboard
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-accounts_renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive Logon:Display user information when the session is locked  
+
+Valid values:
+- 1 - User display name, domain and user names
+- 2 - User display name only
+- 3 - Do not display user information
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display last signed-in
+
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Don't display username at sign-in
+
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.
+Valid values:  
+- 0 - disabled (username will be shown)
+- 1 - enabled (username will not be shown)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows  8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (a user is not required to press CTRL+ALT+DEL to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.
+Valid values:  
+- 0 - disabled 
+- 1 - enabled (session will lock after amount of inactive time exceeds the inactivity limit)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-interactivelogon_messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-networksecurity_allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-recoveryconsole_allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow automatic administrative logon)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-shutdown_allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->Shutdown: Allow system to be shut down without having to log on
+
+This security setting determines whether a computer can be shut down without having to log on to Windows.
+
+When this policy is enabled, the Shut Down command is available on the Windows logon screen.
+
+When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
+
+Default on workstations: Enabled.
+Default on servers: Disabled.
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow system to be shut down without having to log on)
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+Disabled: (Default)  
+Valid values:  
+- 0 - disabled
+- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop)
+
+The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+- 0 - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
+- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:  
+- 0 - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
+- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+<!--StartPolicy-->
+<a href="" id="localpoliciessecurityoptions-useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+- 0 - Disabled: Applications that write data to protected locations fail.
+- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
new file mode 100644
index 0000000000..ba133e1921
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -0,0 +1,75 @@
+---
+title: Policy CSP - Location
+description: Policy CSP - Location
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Location
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Location policies  
+
+<!--StartPolicy-->
+<a href="" id="location-enablelocation"></a>**Location/EnableLocation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
+
+> [!IMPORTANT]
+> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Disabled.
+-   1 – Enabled.
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
+2.   Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
new file mode 100644
index 0000000000..a98d78e52b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -0,0 +1,69 @@
+---
+title: Policy CSP - LockDown
+description: Policy CSP - LockDown
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - LockDown
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## LockDown policies  
+
+<!--StartPolicy-->
+<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 - disallow edge swipe.
+-   1 (default, not configured) - allow edge swipe.
+
+<p style="margin-left: 20px">The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
new file mode 100644
index 0000000000..27d44175e4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -0,0 +1,109 @@
+---
+title: Policy CSP - Maps
+description: Policy CSP - Maps
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Maps
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Maps policies  
+
+<!--StartPolicy-->
+<a href="" id="maps-allowofflinemapsdownloadovermeteredconnection"></a>**Maps/AllowOfflineMapsDownloadOverMeteredConnection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   65535 (default) – Not configured. User's choice.
+-   0 – Disabled. Force disable auto-update over metered connection.
+-   1 – Enabled. Force enable auto-update over metered connection.
+
+<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="maps-enableofflinemapsautoupdate"></a>**Maps/EnableOfflineMapsAutoUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Disables the automatic download and update of map data.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   65535 (default) – Not configured. User's choice.
+-   0 – Disabled. Force off auto-update.
+-   1 – Enabled. Force on auto-update.
+
+<p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
new file mode 100644
index 0000000000..e0c705d31b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -0,0 +1,145 @@
+---
+title: Policy CSP - Messaging
+description: Policy CSP - Messaging
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Messaging
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Messaging policies  
+
+<!--StartPolicy-->
+<a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 - Disabled.
+-   1 (default) - Enabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="messaging-allowmessagesync"></a>**Messaging/AllowMessageSync**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 - message sync is not allowed and cannot be changed by the user.
+-   1 - message sync is allowed. The user can change this setting.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 - Disabled.
+-   1 (default) - Enabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
new file mode 100644
index 0000000000..0d59b01e1b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -0,0 +1,298 @@
+---
+title: Policy CSP - NetworkIsolation
+description: Policy CSP - NetworkIsolation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - NetworkIsolation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## NetworkIsolation policies  
+
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
+
+``` syntax
+10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
+192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
+2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
+2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
+fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+       
+```
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+
+> [!NOTE]
+> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
+ 
+
+<p style="margin-left: 20px">Here are the steps to create canonical domain names:
+
+1.  Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -&gt; microsoft.com.
+2.  Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
+3.  Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">List of domain names that can used for work or personal resource.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
new file mode 100644
index 0000000000..fa41ee2efb
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -0,0 +1,78 @@
+---
+title: Policy CSP - Notifications
+description: Policy CSP - Notifications
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Notifications
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Notifications policies  
+
+<!--StartPolicy-->
+<a href="" id="notifications-disallownotificationmirroring"></a>**Notifications/DisallowNotificationMirroring**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> -   **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
+
+
+<p style="margin-left: 20px">For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
+
+<p style="margin-left: 20px">No reboot or service restart is required for this policy to take effect.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default)– enable notification mirroring.
+-   1 – disable notification mirroring.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
new file mode 100644
index 0000000000..f3bb408651
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -0,0 +1,485 @@
+---
+title: Policy CSP - Power
+description: Policy CSP - Power
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Power
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Power policies  
+
+<!--StartPolicy-->
+<a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
+
+If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
+
+If you disable this policy setting, standby states (S1-S3) are not allowed.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
+-   GP name: *AllowStandbyStatesAC_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-displayofftimeoutonbattery"></a>**Power/DisplayOffTimeoutOnBattery**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off the display (on battery)*
+-   GP name: *VideoPowerDownTimeOutDC_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-displayofftimeoutpluggedin"></a>**Power/DisplayOffTimeoutPluggedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off the display (plugged in)*
+-   GP name: *VideoPowerDownTimeOutAC_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the system hibernate timeout (on battery)*
+-   GP name: *DCHibernateTimeOut_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-hibernatetimeoutpluggedin"></a>**Power/HibernateTimeoutPluggedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the system hibernate timeout (plugged in)*
+-   GP name: *ACHibernateTimeOut_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
+
+If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
+
+If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Require a password when a computer wakes (on battery)*
+-   GP name: *DCPromptForPasswordOnResume_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-requirepasswordwhencomputerwakespluggedin"></a>**Power/RequirePasswordWhenComputerWakesPluggedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
+
+If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
+
+If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Require a password when a computer wakes (plugged in)*
+-   GP name: *ACPromptForPasswordOnResume_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the system sleep timeout (on battery)*
+-   GP name: *DCStandbyTimeOut_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="power-standbytimeoutpluggedin"></a>**Power/StandbyTimeoutPluggedIn**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
+
+<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify the system sleep timeout (plugged in)*
+-   GP name: *ACStandbyTimeOut_2*
+-   GP ADMX file name: *power.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
new file mode 100644
index 0000000000..2fd40ada12
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -0,0 +1,206 @@
+---
+title: Policy CSP - Printers
+description: Policy CSP - Printers
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Printers
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Printers policies  
+
+<!--StartPolicy-->
+<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
+
+If you enable this policy setting:
+-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+If you do not configure this policy setting:
+-Windows Vista client computers can point and print to any server.
+-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+If you disable this policy setting:
+-Windows Vista client computers can create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Point and Print Restrictions*
+-   GP name: *PointAndPrint_Restrictions_Win7*
+-   GP ADMX file name: *Printing.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="printers-pointandprintrestrictions-user"></a>**Printers/PointAndPrintRestrictions_User**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
+
+If you enable this policy setting:
+-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+If you do not configure this policy setting:
+-Windows Vista client computers can point and print to any server.
+-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+If you disable this policy setting:
+-Windows Vista client computers can create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Point and Print Restrictions*
+-   GP name: *PointAndPrint_Restrictions*
+-   GP ADMX file name: *Printing.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Determines whether the computer's shared printers can be published in Active Directory.
+
+If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
+
+If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
+
+Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow printers to be published*
+-   GP name: *PublishPrinters*
+-   GP ADMX file name: *Printing2.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
new file mode 100644
index 0000000000..64b43c3fd9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -0,0 +1,2557 @@
+---
+title: Policy CSP - Privacy
+description: Policy CSP - Privacy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Privacy
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Privacy policies  
+
+<!--StartPolicy-->
+<a href="" id="privacy-allowautoacceptpairingandprivacyconsentprompts"></a>**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default)– Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-allowinputpersonalization"></a>**Privacy/AllowInputPersonalization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+ 
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-disableadvertisingid"></a>**Privacy/DisableAdvertisingId**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or disables the Advertising ID.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disabled.
+-   1 – Enabled.
+-   65535 (default)- Not configured.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessaccountinfo"></a>**Privacy/LetAppsAccessAccountInfo**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessaccountinfo-forceallowtheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessaccountinfo-forcedenytheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessaccountinfo-userincontroloftheseapps"></a>**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscalendar"></a>**Privacy/LetAppsAccessCalendar**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscalendar-forceallowtheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscalendar-forcedenytheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscalendar-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscallhistory"></a>**Privacy/LetAppsAccessCallHistory**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscallhistory-forceallowtheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscallhistory-forcedenytheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscallhistory-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscamera"></a>**Privacy/LetAppsAccessCamera**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscamera-forceallowtheseapps"></a>**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscamera-forcedenytheseapps"></a>**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscamera-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscontacts"></a>**Privacy/LetAppsAccessContacts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscontacts-forceallowtheseapps"></a>**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscontacts-forcedenytheseapps"></a>**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesscontacts-userincontroloftheseapps"></a>**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessemail"></a>**Privacy/LetAppsAccessEmail**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessemail-forceallowtheseapps"></a>**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessemail-forcedenytheseapps"></a>**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessemail-userincontroloftheseapps"></a>**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesslocation"></a>**Privacy/LetAppsAccessLocation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesslocation-forceallowtheseapps"></a>**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesslocation-forcedenytheseapps"></a>**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesslocation-userincontroloftheseapps"></a>**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmessaging"></a>**Privacy/LetAppsAccessMessaging**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmessaging-forceallowtheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmessaging-forcedenytheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmessaging-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmicrophone"></a>**Privacy/LetAppsAccessMicrophone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmicrophone-forceallowtheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmicrophone-forcedenytheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmicrophone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmotion"></a>**Privacy/LetAppsAccessMotion**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmotion-forceallowtheseapps"></a>**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmotion-forcedenytheseapps"></a>**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessmotion-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessnotifications"></a>**Privacy/LetAppsAccessNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessnotifications-forceallowtheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessnotifications-forcedenytheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessnotifications-userincontroloftheseapps"></a>**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessphone"></a>**Privacy/LetAppsAccessPhone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessphone-forceallowtheseapps"></a>**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessphone-forcedenytheseapps"></a>**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessphone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessradios"></a>**Privacy/LetAppsAccessRadios**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessradios-forceallowtheseapps"></a>**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessradios-forcedenytheseapps"></a>**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccessradios-userincontroloftheseapps"></a>**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstasks"></a>**Privacy/LetAppsAccessTasks**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstasks-forceallowtheseapps"></a>**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstasks-forcedenytheseapps"></a>**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstasks-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstrusteddevices"></a>**Privacy/LetAppsAccessTrustedDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstrusteddevices-forceallowtheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstrusteddevices-forcedenytheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsaccesstrusteddevices-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsgetdiagnosticinfo"></a>**Privacy/LetAppsGetDiagnosticInfo**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsgetdiagnosticinfo-forceallowtheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsgetdiagnosticinfo-forcedenytheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsgetdiagnosticinfo-userincontroloftheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsruninbackground"></a>**Privacy/LetAppsRunInBackground**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control (default).
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+> [!WARNING]
+> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsruninbackground-forceallowtheseapps"></a>**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsruninbackground-forcedenytheseapps"></a>**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappsruninbackground-userincontroloftheseapps"></a>**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappssyncwithdevices"></a>**Privacy/LetAppsSyncWithDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – User in control.
+-   1 – Force allow.
+-   2 - Force deny.
+
+<p style="margin-left: 20px">Most restricted value is 2.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappssyncwithdevices-forceallowtheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappssyncwithdevices-forcedenytheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="privacy-letappssyncwithdevices-userincontroloftheseapps"></a>**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic for Business  
+
+-   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Privacy policies supported by IoT Core  
+
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Privacy policies supported by Microsoft Surface Hub  
+
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
new file mode 100644
index 0000000000..0f082798fe
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -0,0 +1,278 @@
+---
+title: Policy CSP - RemoteAssistance
+description: Policy CSP - RemoteAssistance
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - RemoteAssistance
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## RemoteAssistance policies  
+
+<!--StartPolicy-->
+<a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting lets you customize warning messages.
+
+The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
+
+The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
+
+If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
+
+If you disable this policy setting, the user sees the default warning message.
+
+If you do not configure this policy setting, the user sees the default warning message.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Customize warning messages*
+-   GP name: *RA_Options*
+-   GP ADMX file name: *remoteassistance.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteassistance-sessionlogging"></a>**RemoteAssistance/SessionLogging**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
+
+If you enable this policy setting, log files are generated.
+
+If you disable this policy setting, log files are not generated.
+
+If you do not configure this setting, application-based settings are used.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn on session logging*
+-   GP name: *RA_Logging*
+-   GP ADMX file name: *remoteassistance.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
+
+If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
+
+If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
+
+If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
+
+If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
+
+The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
+
+The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
+
+If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Configure Solicited Remote Assistance*
+-   GP name: *RA_Solicit*
+-   GP ADMX file name: *remoteassistance.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
+
+If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
+
+To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
+
+<Domain Name>\<User Name> or
+
+<Domain Name>\<Group Name>
+
+If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
+
+Windows Vista and later
+
+Enable the Remote Assistance exception for the domain profile. The exception must contain:
+Port 135:TCP
+%WINDIR%\System32\msra.exe
+%WINDIR%\System32\raserver.exe
+
+Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
+
+Port 135:TCP
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+%WINDIR%\System32\Sessmgr.exe
+
+For computers running Windows Server 2003 with Service Pack 1 (SP1)
+
+Port 135:TCP
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+Allow Remote Desktop Exception
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Configure Offer Remote Assistance*
+-   GP name: *RA_Unsolicit*
+-   GP ADMX file name: *remoteassistance.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
new file mode 100644
index 0000000000..57e8b93015
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -0,0 +1,357 @@
+---
+title: Policy CSP - RemoteDesktopServices
+description: Policy CSP - RemoteDesktopServices
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - RemoteDesktopServices
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## RemoteDesktopServices policies  
+
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
+
+If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
+
+If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
+
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
+
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+
+You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow users to connect remotely by using Remote Desktop Services*
+-   GP name: *TS_DISABLE_CONNECTIONS*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
+
+If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
+
+* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
+
+* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
+
+* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
+
+If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
+
+Important
+
+FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Set client connection encryption level*
+-   GP name: *TS_ENCRYPTION_POLICY*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
+
+By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.
+
+If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
+
+If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
+
+If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not allow drive redirection*
+-   GP name: *TS_CLIENT_DRIVE_M*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Controls whether passwords can be saved on this computer from Remote Desktop Connection.
+
+If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
+
+If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not allow passwords to be saved*
+-   GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
+
+You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
+
+By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
+
+If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
+
+If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
+
+If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Always prompt for password upon connection*
+-   GP name: *TS_PASSWORD*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
+
+You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
+
+If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
+
+If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
+
+If the status is set to Not Configured, unsecured communication is allowed.
+
+Note: The RPC interface is used for administering and configuring Remote Desktop Services.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Require secure RPC communication*
+-   GP name: *TS_RPC_ENCRYPTION*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
new file mode 100644
index 0000000000..2bb1892add
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -0,0 +1,676 @@
+---
+title: Policy CSP - RemoteManagement
+description: Policy CSP - RemoteManagement
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - RemoteManagement
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## RemoteManagement policies  
+
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowbasicauthentication-client"></a>**RemoteManagement/AllowBasicAuthentication_Client**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow Basic authentication*
+-   GP name: *AllowBasic_2*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowbasicauthentication-service"></a>**RemoteManagement/AllowBasicAuthentication_Service**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow Basic authentication*
+-   GP name: *AllowBasic_1*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowcredsspauthenticationclient"></a>**RemoteManagement/AllowCredSSPAuthenticationClient**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow CredSSP authentication*
+-   GP name: *AllowCredSSP_2*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowcredsspauthenticationservice"></a>**RemoteManagement/AllowCredSSPAuthenticationService**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow CredSSP authentication*
+-   GP name: *AllowCredSSP_1*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowremoteservermanagement"></a>**RemoteManagement/AllowRemoteServerManagement**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow remote server management through WinRM*
+-   GP name: *AllowAutoConfig*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowunencryptedtraffic-client"></a>**RemoteManagement/AllowUnencryptedTraffic_Client**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow unencrypted traffic*
+-   GP name: *AllowUnencrypted_2*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-allowunencryptedtraffic-service"></a>**RemoteManagement/AllowUnencryptedTraffic_Service**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow unencrypted traffic*
+-   GP name: *AllowUnencrypted_1*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-disallowdigestauthentication"></a>**RemoteManagement/DisallowDigestAuthentication**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disallow Digest authentication*
+-   GP name: *DisallowDigest*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-disallownegotiateauthenticationclient"></a>**RemoteManagement/DisallowNegotiateAuthenticationClient**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disallow Negotiate authentication*
+-   GP name: *DisallowNegotiate_2*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-disallownegotiateauthenticationservice"></a>**RemoteManagement/DisallowNegotiateAuthenticationService**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disallow Negotiate authentication*
+-   GP name: *DisallowNegotiate_1*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-disallowstoringofrunascredentials"></a>**RemoteManagement/DisallowStoringOfRunAsCredentials**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Disallow WinRM from storing RunAs credentials*
+-   GP name: *DisableRunAs*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-specifychannelbindingtokenhardeninglevel"></a>**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify channel binding token hardening level*
+-   GP name: *CBTHardeningLevel_1*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-trustedhosts"></a>**RemoteManagement/TrustedHosts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Trusted Hosts*
+-   GP name: *TrustedHosts*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-turnoncompatibilityhttplistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPListener**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn On Compatibility HTTP Listener*
+-   GP name: *HttpCompatibilityListener*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remotemanagement-turnoncompatibilityhttpslistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPSListener**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn On Compatibility HTTPS Listener*
+-   GP name: *HttpsCompatibilityListener*
+-   GP ADMX file name: *WindowsRemoteManagement.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
new file mode 100644
index 0000000000..79559fed08
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -0,0 +1,145 @@
+---
+title: Policy CSP - RemoteProcedureCall
+description: Policy CSP - RemoteProcedureCall
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - RemoteProcedureCall
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## RemoteProcedureCall policies  
+
+<!--StartPolicy-->
+<a href="" id="remoteprocedurecall-rpcendpointmapperclientauthentication"></a>**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information.   The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
+
+If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+
+If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information.  Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+
+If you do not configure this policy setting, it remains disabled.  RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+
+Note: This policy will not be applied until the system is rebooted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Enable RPC Endpoint Mapper Client Authentication*
+-   GP name: *RpcEnableAuthEpResolution*
+-   GP ADMX file name: *rpc.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteprocedurecall-restrictunauthenticatedrpcclients"></a>**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
+
+This policy setting impacts all RPC applications.  In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself.  Reverting a change to this policy setting can require manual intervention on each affected machine.  This policy setting should never be applied to a domain controller.
+
+If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
+
+If you do not configure this policy setting, it remains disabled.  The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+
+If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
+
+--  "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
+
+--  "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
+
+--  "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied.  No exceptions are allowed.
+
+Note: This policy setting will not be applied until the system is rebooted.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Restrict Unauthenticated RPC clients*
+-   GP name: *RpcRestrictRemoteClients*
+-   GP ADMX file name: *rpc.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
new file mode 100644
index 0000000000..becd1b6df2
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -0,0 +1,332 @@
+---
+title: Policy CSP - RemoteShell
+description: Policy CSP - RemoteShell
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - RemoteShell
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## RemoteShell policies  
+
+<!--StartPolicy-->
+<a href="" id="remoteshell-allowremoteshellaccess"></a>**RemoteShell/AllowRemoteShellAccess**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Allow Remote Shell Access*
+-   GP name: *AllowRemoteShellAccess*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-maxconcurrentusers"></a>**RemoteShell/MaxConcurrentUsers**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *MaxConcurrentUsers*
+-   GP name: *MaxConcurrentUsers*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-specifyidletimeout"></a>**RemoteShell/SpecifyIdleTimeout**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify idle Timeout*
+-   GP name: *IdleTimeout*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-specifymaxmemory"></a>**RemoteShell/SpecifyMaxMemory**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify maximum amount of memory in MB per Shell*
+-   GP name: *MaxMemoryPerShellMB*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-specifymaxprocesses"></a>**RemoteShell/SpecifyMaxProcesses**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify maximum number of processes per Shell*
+-   GP name: *MaxProcessesPerShell*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-specifymaxremoteshells"></a>**RemoteShell/SpecifyMaxRemoteShells**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify maximum number of remote shells per user*
+-   GP name: *MaxShellsPerUser*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="remoteshell-specifyshelltimeout"></a>**RemoteShell/SpecifyShellTimeout**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Specify Shell Timeout*
+-   GP name: *ShellTimeOut*
+-   GP ADMX file name: *WindowsRemoteShell.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
new file mode 100644
index 0000000000..b4338ee741
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -0,0 +1,393 @@
+---
+title: Policy CSP - Search
+description: Policy CSP - Search
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Search
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Search policies  
+
+<!--StartPolicy-->
+<a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
+
+<p style="margin-left: 20px">When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
+
+<p style="margin-left: 20px">When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether search can leverage location information.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-allowusingdiacritics"></a>**Search/AllowUsingDiacritics**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the use of diacritics.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-alwaysuseautolangdetection"></a>**Search/AlwaysUseAutoLangDetection**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to always use automatic language detection when indexing content and properties.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-disablebackoff"></a>**Search/DisableBackoff**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Disable.
+-   1 – Enable.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-disableremovabledriveindexing"></a>**Search/DisableRemovableDriveIndexing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This policy setting configures whether or not locations on removable drives can be added to libraries.
+
+<p style="margin-left: 20px">If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Disable.
+-   1 – Enable.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-preventindexinglowdiskspacemb"></a>**Search/PreventIndexingLowDiskSpaceMB**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
+
+<p style="margin-left: 20px">Enable this policy if computers in your environment have extremely limited hard drive space.
+
+<p style="margin-left: 20px">When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disable.
+-   1 (default) – Enable.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-preventremotequeries"></a>**Search/PreventRemoteQueries**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disable.
+-   1 (default) – Enable.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies what level of safe search (filtering adult content) is required.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Strict, highest filtering against adult content.
+-   1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Search policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Search policies supported by Windows Holographic for Business  
+
+-   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
+<!--EndHoloLens-->
+
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
new file mode 100644
index 0000000000..5b0f36a599
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -0,0 +1,466 @@
+---
+title: Policy CSP - Security
+description: Policy CSP - Security
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/26/2017
+---
+
+# Policy CSP - Security
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Security policies  
+
+<!--StartPolicy-->
+<a href="" id="security-allowaddprovisioningpackage"></a>**Security/AllowAddProvisioningPackage**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to install provisioning packages.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy has been deprecated in Windows 10, version 1607
+
+<br>
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Specifies whether the user is allowed to manually install root and intermediate CA certificates.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-allowremoveprovisioningpackage"></a>**Security/AllowRemoveProvisioningPackage**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to remove provisioning packages.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-antitheftmode"></a>**Security/AntiTheftMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+ 
+<p style="margin-left: 20px">Allows or disallow Anti Theft Mode on the device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Don't allow Anti Theft Mode.
+-   1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-preventautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
+
+<p style="margin-left: 20px">Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Encryption enabled.
+-   1 – Encryption disabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
+
+The following list shows the supported values:
+
+-   0 (default) – Will not force recovery from a non-ready TPM state.
+-   1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
+
+<p style="margin-left: 20px">Allows enterprise to turn on internal storage encryption.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Encryption is not required.
+-   1 – Encryption is required.
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+> [!IMPORTANT]
+> If encryption has been enabled, it cannot be turned off by using this policy.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-requireprovisioningpackagesignature"></a>**Security/RequireProvisioningPackageSignature**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not required.
+-   1 – Required.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="security-requireretrievehealthcertificateonboot"></a>**Security/RequireRetrieveHealthCertificateOnBoot**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not required.
+-   1 – Required.
+
+<p style="margin-left: 20px">Setting this policy to 1 (Required):
+
+-   Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
+-   Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
+
+> [!NOTE]
+> We recommend that this policy is set to Required after MDM enrollment.
+ 
+
+<p style="margin-left: 20px">Most restricted value is 1.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Security policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Security policies supported by Windows Holographic for Business  
+
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Security policies supported by IoT Core  
+
+-   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
+-   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+-   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Security policies supported by Microsoft Surface Hub  
+
+-   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
+-   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
new file mode 100644
index 0000000000..1f0609cf32
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -0,0 +1,560 @@
+---
+title: Policy CSP - Settings
+description: Policy CSP - Settings
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Settings
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Settings policies  
+
+<!--StartPolicy-->
+<a href="" id="settings-allowautoplay"></a>**Settings/AllowAutoPlay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows the user to change Auto Play settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+> [!NOTE]
+> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowdatasense"></a>**Settings/AllowDataSense**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the user to change Data Sense settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowdatetime"></a>**Settings/AllowDateTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the user to change date and time settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows editing of the device name.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows the user to change the language settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowpowersleep"></a>**Settings/AllowPowerSleep**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows the user to change power and sleep settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowregion"></a>**Settings/AllowRegion**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows the user to change the region settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowsigninoptions"></a>**Settings/AllowSignInOptions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows the user to change sign-in options.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowvpn"></a>**Settings/AllowVPN**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows the user to change VPN settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowworkplace"></a>**Settings/AllowWorkplace**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Allows user to change workplace settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-allowyouraccount"></a>**Settings/AllowYourAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows user to change account settings.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-configuretaskbarcalendar"></a>**Settings/ConfigureTaskbarCalendar**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout.  In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale.  Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – User will be allowed to configure the setting.
+-   1  – Don't show additional calendars.
+-   2  - Simplified Chinese (Lunar).
+-   3  - Traditional Chinese (Lunar).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="settings-pagevisibilitylist"></a>**Settings/PageVisibilityList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to either  prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified.  The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo".  Multiple page identifiers are separated by semicolons.
+
+<p style="margin-left: 20px">The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
+
+<p style="margin-left: 20px">showonly:about;bluetooth
+
+<p style="margin-left: 20px">If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+
+<p style="margin-left: 20px">The format of the PageVisibilityList value is as follows:
+
+-   The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
+-   There are two variants: one that shows only the given pages and one which hides the given pages.
+-   The first variant starts with the string "showonly:" and the second with the string "hide:".
+-	Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
+-   Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
+
+<p style="margin-left: 20px">The default value for this setting is an empty string, which is interpreted as show everything.
+
+<p style="margin-left: 20px">Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
+
+<p style="margin-left: 20px">showonly:wi-fi;bluetooth
+
+<p style="margin-left: 20px">Example 2, specifies that the wifi page should not be shown:
+
+<p style="margin-left: 20px">hide:wifi
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Open System Settings and verfiy that the About page is visible and accessible.
+2.   Configure the policy with the following string: "hide:about".
+3.   Open System Settings again and verify that the About page is no longer accessible.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Settings policies supported by Windows Holographic for Business  
+
+-   [Settings/AllowDateTime](#settings-allowdatetime)  
+-   [Settings/AllowVPN](#settings-allowvpn)  
+<!--EndHoloLens-->
+
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
new file mode 100644
index 0000000000..f051f86853
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -0,0 +1,139 @@
+---
+title: Policy CSP - SmartScreen
+description: Policy CSP - SmartScreen
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - SmartScreen
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## SmartScreen policies  
+
+<!--StartPolicy-->
+<a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+-   1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Turns off SmartScreen in Windows.
+-   1 – Turns on SmartScreen in Windows.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Employees can ignore SmartScreen warnings and run malicious files.
+-   1 – Employees cannot ignore SmartScreen warnings and run malicious files.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
new file mode 100644
index 0000000000..e19e02b135
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -0,0 +1,67 @@
+---
+title: Policy CSP - Speech
+description: Policy CSP - Speech
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Speech
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Speech policies  
+
+<!--StartPolicy-->
+<a href="" id="speech-allowspeechmodelupdate"></a>**Speech/AllowSpeechModelUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
new file mode 100644
index 0000000000..63e49d9fa5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -0,0 +1,1193 @@
+---
+title: Policy CSP - Start
+description: Policy CSP - Start
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Start
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Start policies  
+
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderdocuments"></a>**Start/AllowPinnedFolderDocuments**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderdownloads"></a>**Start/AllowPinnedFolderDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderfileexplorer"></a>**Start/AllowPinnedFolderFileExplorer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderhomegroup"></a>**Start/AllowPinnedFolderHomeGroup**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldermusic"></a>**Start/AllowPinnedFolderMusic**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldernetwork"></a>**Start/AllowPinnedFolderNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderpersonalfolder"></a>**Start/AllowPinnedFolderPersonalFolder**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderpictures"></a>**Start/AllowPinnedFolderPictures**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldersettings"></a>**Start/AllowPinnedFolderSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldervideos"></a>**Start/AllowPinnedFolderVideos**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-forcestartsize"></a>**Start/ForceStartSize**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+<p style="margin-left: 20px">Forces the start screen size.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Do not force size of Start.
+-   1 – Force non-fullscreen size of Start.
+-   2 - Force a fullscreen size of Start.
+
+<p style="margin-left: 20px">If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hideapplist"></a>**Start/HideAppList**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – None.
+-   1 – Hide all apps list.
+-   2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
+-   3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+-   1 - Enable policy and restart explorer.exe
+-   2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
+-   2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
+-   2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidechangeaccountsettings"></a>**Start/HideChangeAccountSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the user tile, and verify that "Change account settings" is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidefrequentlyusedapps"></a>**Start/HideFrequentlyUsedApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable "Show most used apps" in the Settings app.
+2.   Use some apps to get them into the most used group in Start.
+3.   Enable policy.
+4.   Restart explorer.exe
+5.   Check that  "Show most used apps" Settings toggle is grayed out.
+6.   Check that most used apps do not appear in Start.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidehibernate"></a>**Start/HideHibernate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Laptop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the Power button, and verify "Hibernate" is not available.
+
+> [!NOTE]
+> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidelock"></a>**Start/HideLock**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the user tile, and verify "Lock" is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidepowerbutton"></a>**Start/HidePowerButton**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, and verify the power button is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hiderecentjumplists"></a>**Start/HideRecentJumplists**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
+2.   Pin Photos to the taskbar, and open some images in the photos app.
+3.   Right click the pinned photos app and verify that a jumplist of recently opened items pops up.
+4.   Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
+5.   Enable policy.
+6.   Restart explorer.exe
+7.   Check that Settings toggle is grayed out.
+8.   Repeat Step 2.
+9.   Right Click pinned photos app and verify that there is no jumplist of recent items.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hiderecentlyaddedapps"></a>**Start/HideRecentlyAddedApps**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable "Show recently added apps" in the Settings app.
+2.   Check if there are recently added apps in Start (if not, install some).
+3.   Enable policy.
+4.   Restart explorer.exe
+5.   Check that "Show recently added apps" Settings toggle is grayed out.
+6.   Check that recently added apps do not appear in Start.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hiderestart"></a>**Start/HideRestart**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hideshutdown"></a>**Start/HideShutDown**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidesignout"></a>**Start/HideSignOut**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the user tile, and verify "Sign out" is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hidesleep"></a>**Start/HideSleep**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the Power button, and verify that "Sleep" is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hideswitchaccount"></a>**Start/HideSwitchAccount**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Open Start, click on the user tile, and verify that "Switch account" is not available.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-hideusertile"></a>**Start/HideUserTile**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (do not hide).
+-   1 - True (hide).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Log off.
+3.   Log in, and verify that the user tile is gone from Start.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-importedgeassets"></a>**Start/ImportEdgeAssets**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
+
+> [!IMPORTANT]
+> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
+
+<p style="margin-left: 20px">The value set for this policy is an XML string containing Edge assets.  For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Set policy with an XML for Edge assets.
+2.   Set StartLayout policy to anything so that it would trigger the Edge assets import.
+3.   Sign out/in.
+4.   Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-nopinningtotaskbar"></a>**Start/NoPinningToTaskbar**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (pinning enabled).
+-   1 - True (pinning disabled).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Right click on a program pinned to taskbar.
+3.   Verify that "Unpin from taskbar" menu does not show.
+4.   Open Start and right click on one of the app list icons.
+5.   Verify that More->Pin to taskbar menu does not show.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-startlayout"></a>**Start/StartLayout**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!IMPORTANT]
+> This node is set on a per-user basis and must be accessed using the following paths:
+> -   **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+>
+>
+> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
+> -   **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> -   **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+
+
+<p style="margin-left: 20px">Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+
+<p style="margin-left: 20px">For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
new file mode 100644
index 0000000000..6e7bf5238a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -0,0 +1,80 @@
+---
+title: Policy CSP - Storage
+description: Policy CSP - Storage
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Storage
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Storage policies  
+
+<!--StartPolicy-->
+<a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting configures whether or not Windows will activate an Enhanced Storage device.
+
+If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
+
+If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not allow Windows to activate Enhanced Storage devices*
+-   GP name: *TCGSecurityActivationDisabled*
+-   GP ADMX file name: *enhancedstorage.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
new file mode 100644
index 0000000000..ac2270f86c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -0,0 +1,629 @@
+---
+title: Policy CSP - System
+description: Policy CSP - System
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - System
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## System policies  
+
+<!--StartPolicy-->
+<a href="" id="system-allowbuildpreview"></a>**System/AllowBuildPreview**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
+
+
+<p style="margin-left: 20px">This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
+
+<p style="margin-left: 20px">If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
+-   1 – Allowed. Users can make their devices available for downloading and installing preview software.
+-   2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowembeddedmode"></a>**System/AllowEmbeddedMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether set general purpose device to be in embedded mode.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Not allowed.
+-   1 – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowexperimentation"></a>**System/AllowExperimentation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is not supported in Windows 10, version 1607.
+
+<p style="margin-left: 20px">This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disabled.
+-   1 (default) – Permits Microsoft to configure device settings only.
+-   2 – Allows Microsoft to conduct full experimentations.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowfontproviders"></a>**System/AllowFontProviders**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
+
+<p style="margin-left: 20px">Supported values:  
+
+-   false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
+-   true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
+
+<p style="margin-left: 20px">This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
+
+<p style="margin-left: 20px">This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
+
+> [!Note]  
+> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
+
+<p style="margin-left: 20px">To verify if System/AllowFontProviders is set to true:  
+
+-  After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowlocation"></a>**System/AllowLocation**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow app access to the Location service.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
+-   1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
+-   2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
+
+<p style="margin-left: 20px">When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
+
+<p style="margin-left: 20px">For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. 
+-   1 (default) – Allow a storage card.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowtelemetry"></a>**System/AllowTelemetry**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow the device to send diagnostic and usage telemetry data, such as Watson.
+
+<p style="margin-left: 20px">The following tables describe the supported values:
+
+<table style="margin-left: 20px">
+<colgroup>
+<col width="100%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Windows 8.1 Values</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top"><p>0 – Not allowed.</p>
+</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p> 1 – Allowed, except for Secondary Data Requests.</p></td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top"><p>2 (default) – Allowed.</p></td>
+</tr>
+</tbody>
+</table>
+
+
+<table style="margin-left: 20px">
+<colgroup>
+<col width="100%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Windows 10 Values</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top"><p>0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.</p>
+<div class="alert">
+<strong>Note</strong>  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
+</div>
+</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p>1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.</p></td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top"><p>2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.</p></td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p>3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.</p></td>
+</tr>
+</tbody>
+</table>
+
+
+> [!IMPORTANT]
+> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
+
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-allowusertoresetphone"></a>**System/AllowUserToResetPhone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed to reset to factory default settings.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+N/A
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP name: *POL_DriverLoadPolicy_Name*
+-   GP ADMX file name: *earlylauncham.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-disableonedrivefilesync"></a>**System/DisableOneDriveFileSync**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+
+* Users cannot access OneDrive from the OneDrive app or file picker.
+* Windows Store apps cannot access OneDrive using the WinRT API.
+* OneDrive does not appear in the navigation pane in File Explorer.
+* OneDrive files are not kept in sync with the cloud.
+* Users cannot automatically upload photos and videos from the camera roll folder. 
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – False (sync enabled).
+-   1 – True (sync disabled).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Restart machine.
+3.   Verify that OneDrive.exe is not running in Task Manager.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-disablesystemrestore"></a>**System/DisableSystemRestore**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+Allows you to disable System Restore.
+
+This policy setting allows you to turn off System Restore.
+
+System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
+
+If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
+
+If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
+
+Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off System Restore*
+-   GP name: *SR_DisableSR*
+-   GP ADMX file name: *systemrestore.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *&lt;server&gt;:&lt;port&gt;*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+
+<p style="margin-left: 20px">If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>System policies that can be set using Exchange Active Sync (EAS)  
+
+-   [System/AllowStorageCard](#system-allowstoragecard)  
+-   [System/TelemetryProxy](#system-telemetryproxy)  
+<!--EndEAS-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>System policies supported by Windows Holographic for Business  
+
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [System/AllowLocation](#system-allowlocation)  
+-   [System/AllowTelemetry](#system-allowtelemetry)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>System policies supported by IoT Core  
+
+-   [System/AllowEmbeddedMode](#system-allowembeddedmode)  
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [System/AllowStorageCard](#system-allowstoragecard)  
+-   [System/TelemetryProxy](#system-telemetryproxy)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>System policies supported by Microsoft Surface Hub  
+
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [System/AllowLocation](#system-allowlocation)  
+-   [System/AllowTelemetry](#system-allowtelemetry)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
new file mode 100644
index 0000000000..213a633652
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -0,0 +1,561 @@
+---
+title: Policy CSP - TextInput
+description: Policy CSP - TextInput
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - TextInput
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## TextInput policies  
+
+<!--StartPolicy-->
+<a href="" id="textinput-allowimelogging"></a>**TextInput/AllowIMELogging**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowimenetworkaccess"></a>**TextInput/AllowIMENetworkAccess**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowinputpanel"></a>**TextInput/AllowInputPanel**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the IT admin to disable the touch/handwriting keyboard on Windows.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowjapaneseimesurrogatepaircharacters"></a>**TextInput/AllowJapaneseIMESurrogatePairCharacters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the Japanese IME surrogate pair characters.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowjapaneseivscharacters"></a>**TextInput/AllowJapaneseIVSCharacters**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows Japanese Ideographic Variation Sequence (IVS) characters.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowjapanesenonpublishingstandardglyph"></a>**TextInput/AllowJapaneseNonPublishingStandardGlyph**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the Japanese non-publishing standard glyph.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowjapaneseuserdictionary"></a>**TextInput/AllowJapaneseUserDictionary**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the Japanese user dictionary.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowkeyboardtextsuggestions"></a>**TextInput/AllowKeyboardTextSuggestions**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. 
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Disabled.
+-   1 (default) – Enabled.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<p style="margin-left: 20px">To validate that text prediction is disabled on Windows 10 for desktop, do the following:
+
+1.  Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
+2.  Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
+3.  Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**  
+
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This policy has been deprecated.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-allowlanguagefeaturesuninstall"></a>**TextInput/AllowLanguageFeaturesUninstall**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the uninstall of language features, such as spell checkers, on a device.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-excludejapaneseimeexceptjis0208"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – No characters are filtered.
+-   1 – All characters except JIS0208 are filtered.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-excludejapaneseimeexceptjis0208andeudc"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – No characters are filtered.
+-   1 – All characters except JIS0208 and EUDC are filtered.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="textinput-excludejapaneseimeexceptshiftjis"></a>**TextInput/ExcludeJapaneseIMEExceptShiftJIS**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+<p style="margin-left: 20px">Allows the users to restrict character code range of conversion by setting the character filter.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – No characters are filtered.
+-   1 – All characters except ShiftJIS are filtered.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>TextInput policies supported by Microsoft Surface Hub  
+
+-   [TextInput/AllowIMELogging](#textinput-allowimelogging)  
+-   [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)  
+-   [TextInput/AllowInputPanel](#textinput-allowinputpanel)  
+-   [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)  
+-   [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)  
+-   [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)  
+-   [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)  
+-   [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)  
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)  
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)  
+-   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
new file mode 100644
index 0000000000..5aa7ed1720
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -0,0 +1,75 @@
+---
+title: Policy CSP - TimeLanguageSettings
+description: Policy CSP - TimeLanguageSettings
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - TimeLanguageSettings
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## TimeLanguageSettings policies  
+
+<!--StartPolicy-->
+<a href="" id="timelanguagesettings-allowset24hourclock"></a>**TimeLanguageSettings/AllowSet24HourClock**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Locale default setting.
+-   1 (default) – Set 24 hour clock.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>TimeLanguageSettings policies supported by Microsoft Surface Hub  
+
+-   [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)  
+-   [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)  
+-   [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
new file mode 100644
index 0000000000..3681d55d6f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -0,0 +1,1887 @@
+---
+title: Policy CSP - Update
+description: Policy CSP - Update
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Update
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Update policies  
+
+<!--StartPolicy-->
+<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+
+> [!NOTE]
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
+
+<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+<p style="margin-left: 20px">The default is 17 (5 PM).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+
+<p style="margin-left: 20px">Supported values are 8-18.
+
+<p style="margin-left: 20px">The default value is 18 (hours).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+
+> [!NOTE]
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
+
+<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+<p style="margin-left: 20px">The default value is 8 (8 AM).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+<p style="margin-left: 20px">Supported operations are Get and Replace.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+-   1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
+-   2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
+-   3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+-   4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
+-   5 – Turn off automatic updates.
+
+> [!IMPORTANT]
+> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
+ 
+
+<p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed or not configured.
+-   1 – Allowed. Accepts updates received through Microsoft Update.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
+
+<p style="margin-left: 20px">Supported operations are Get and Replace.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+-   1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+
+<p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
+<p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
+<p style="margin-left: 20px">Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Update service is not allowed.
+-   1 (default) – Update service is allowed.
+
+> [!NOTE]
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-autorestartdeadlineperiodindays"></a>**Update/AutoRestartDeadlinePeriodInDays**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
+
+<p style="margin-left: 20px">Supported values are 2-30 days.
+
+<p style="margin-left: 20px">The default value is 7 days.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+
+<p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
+
+<p style="margin-left: 20px">The default value is 15 (minutes).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   1 (default) – Auto Dismissal.
+-   2 – User Dismissal.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   16 (default) – User gets all applicable upgrades from Current Branch (CB).
+-   32 – User gets upgrades from Current Branch for Business (CBB).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+
+<p style="margin-left: 20px">Supported values are 0-365 days.
+
+> [!IMPORTANT]
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+
+<p style="margin-left: 20px">Supported values are 0-30.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+
+
+<p style="margin-left: 20px">Allows IT Admins to specify update delays for up to 4 weeks.
+
+<p style="margin-left: 20px">Supported values are 0-4, which refers to the number of weeks to defer updates.
+
+<p style="margin-left: 20px">In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
+
+-   Update/RequireDeferUpgrade must be set to 1
+-   System/AllowTelemetry must be set to 1 or higher
+
+<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<p style="margin-left: 20px">If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<table style="margin-left: 20px">
+<colgroup>
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+<col width="25%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Update category</th>
+<th>Maximum deferral</th>
+<th>Deferral increment</th>
+<th>Update type/notes</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top"><p>OS upgrade</p></td>
+<td style="vertical-align:top"><p>8 months</p></td>
+<td style="vertical-align:top"><p>1 month</p></td>
+<td style="vertical-align:top"><p>Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</p></td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top"><p>Update</p></td>
+<td style="vertical-align:top"><p>1 month</p></td>
+<td style="vertical-align:top"><p>1 week</p></td>
+<td style="vertical-align:top"><div class="alert">
+<strong>Note</strong>
+If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
+</div>
+<ul>
+<li>Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441</li>
+<li>Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4</li>
+<li>Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F</li>
+<li>Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828</li>
+<li>Tools - B4832BD8-E735-4761-8DAF-37F882276DAB</li>
+<li>Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F</li>
+<li>Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</li>
+<li>Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</li>
+</ul></td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top"><p>Other/cannot defer</p></td>
+<td style="vertical-align:top"><p>No deferral</p></td>
+<td style="vertical-align:top"><p>No deferral</p></td>
+<td style="vertical-align:top"><p>Any update category not specifically enumerated above falls into this category.</p>
+<p>Definition Update - E0789628-CE08-4437-BE74-2495B842F43B</p></td>
+</tr>
+</tbody>
+</table>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+>
+> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+
+
+<p style="margin-left: 20px">Allows IT Admins to specify additional upgrade delays for up to 8 months.
+
+<p style="margin-left: 20px">Supported values are 0-8, which refers to the number of months to defer upgrades.
+
+<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-detectionfrequency"></a>**Update/DetectionFrequency**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period.  If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+
+<p style="margin-left: 20px">Supported values are 2-30 days.
+
+<p style="margin-left: 20px">The default value is 0 days (not specified).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+
+<p style="margin-left: 20px">Supported values are 1-3 days.
+
+<p style="margin-left: 20px">The default value is 3 days.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+
+<p style="margin-left: 20px">Supported values are 2-30 days.
+
+<p style="margin-left: 20px">The default value is 7 days.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Allow Windows Update drivers.
+-   1 – Exclude Windows Update drivers.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-fillemptycontenturls"></a>**Update/FillEmptyContentUrls**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata.  This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the <a href="#update-updateserviceurlalternate">alternate download URL</a>).
+
+> [!NOTE]
+> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache.  This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Disabled.
+-   1 – Enabled.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
+
+> [!WARNING]
+> Setting this policy might cause devices to incur costs from MO operators.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Do not ignore MO download limit for apps and their updates.
+-   1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+
+<p style="margin-left: 20px">To validate this policy:
+
+1.  Enable the policy ensure the device is on a cellular network.
+2.  Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: 
+      - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
+
+      - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
+
+3.   Verify that any downloads that are above the download size limit will complete without being paused.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
+
+> [!WARNING]
+> Setting this policy might cause devices to incur costs from MO operators.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Do not ignore MO download limit for OS updates.
+-   1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+
+<p style="margin-left: 20px">To validate this policy:
+
+1.  Enable the policy and ensure the device is on a cellular network.
+2.  Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: 
+      - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
+
+3.   Verify that any downloads that are above the download size limit will complete without being paused.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+
+
+<p style="margin-left: 20px">Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Deferrals are not paused.
+-   1 – Deferrals are paused.
+
+<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Feature Updates are not paused.
+-   1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-pausefeatureupdatesstarttime"></a>**Update/PauseFeatureUpdatesStartTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Quality Updates are not paused.
+-   1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-pausequalityupdatesstarttime"></a>**Update/PauseQualityUpdatesStartTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+
+
+<p style="margin-left: 20px">Allows the IT admin to set a device to CBB train.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – User gets upgrades from Current Branch.
+-   1 – User gets upgrades from Current Branch for Business.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+<br>
+
+> [!NOTE]
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+
+
+<p style="margin-left: 20px">Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+
+<p style="margin-left: 20px">Supported operations are Get and Replace.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not configured. The device installs all applicable updates.
+-   1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+
+<p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
+
+<p style="margin-left: 20px">The default value is 15 (minutes).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+
+<p style="margin-left: 20px">Supported values are 2, 4, 8, 12, or 24 (hours).
+
+<p style="margin-left: 20px">The default value is 4 (hours).
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
+
+<p style="margin-left: 20px">The data type is a integer.
+
+<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Every day
+-   1 – Sunday
+-   2 – Monday
+-   3 – Tuesday
+-   4 – Wednesday
+-   5 – Thursday
+-   6 – Friday
+-   7 – Saturday
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstalleveryweek"></a>**Update/ScheduledInstallEveryWeek**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+<ul>
+<li>0 - no update in the schedule</li>
+<li>1 - update is scheduled every week</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstallfirstweek"></a>**Update/ScheduledInstallFirstWeek**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
+<ul>
+<li>0 - no update in the schedule</li>
+<li>1 - update is scheduled every first week of the month</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstallfourthweek"></a>**Update/ScheduledInstallFourthWeek**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
+<ul>
+<li>0 - no update in the schedule</li>
+<li>1 - update is scheduled every fourth week of the month</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstallsecondweek"></a>**Update/ScheduledInstallSecondWeek**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
+<ul>
+<li>0 - no update in the schedule</li>
+<li>1 - update is scheduled every second week of the month</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstallthirdweek"></a>**Update/ScheduledInstallThirdWeek**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
+<ul>
+<li>0 - no update in the schedule</li>
+<li>1 - update is scheduled every third week of the month</li>
+</ul>
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Enables the IT admin to schedule the time of the update installation.
+
+<p style="margin-left: 20px">The data type is a integer.
+
+<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
+
+<p style="margin-left: 20px">Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+
+<p style="margin-left: 20px">The default value is 3.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 (default) – Enabled
+-   1 – Disabled
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-setedurestart"></a>**Update/SetEDURestart**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+- 0 - not configured
+- 1 - configured
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+> [!Important]  
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
+
+<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+
+<p style="margin-left: 20px">Supported operations are Get and Replace.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   Not configured. The device checks for updates from Microsoft Update.
+-   Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
+
+Example
+
+``` syntax
+        <Replace>
+            <CmdID>$CmdID$</CmdID>
+            <Item>
+                <Meta>
+                    <Format>chr</Format>
+                    <Type>text/plain</Type>
+                </Meta>
+                <Target>
+                    <LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
+                </Target>
+                <Data>http://abcd-srv:8530</Data>
+            </Item>
+        </Replace>
+```
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+
+<p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+
+<p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+
+<p style="margin-left: 20px">To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.  An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+
+<p style="margin-left: 20px">Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+
+> [!Note]  
+> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.  
+> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.  
+> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Update policies supported by Windows Holographic for Business  
+
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
+-   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
+-   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
+<!--EndHoloLens-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Update policies supported by IoT Core  
+
+-   [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
+-   [Update/PauseDeferrals](#update-pausedeferrals)  
+-   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
+-   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
+-   [Update/ScheduledInstallDay](#update-scheduledinstallday)  
+-   [Update/ScheduledInstallTime](#update-scheduledinstalltime)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Update policies supported by Microsoft Surface Hub  
+
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
+-   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
+-   [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)  
+-   [Update/BranchReadinessLevel](#update-branchreadinesslevel)  
+-   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)  
+-   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)  
+-   [Update/DetectionFrequency](#update-detectionfrequency)  
+-   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)  
+-   [Update/PauseQualityUpdates](#update-pausequalityupdates)  
+-   [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)  
+-   [Update/ScheduleRestartWarning](#update-schedulerestartwarning)  
+-   [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
+-   [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)  
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
new file mode 100644
index 0000000000..2a91601f05
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -0,0 +1,288 @@
+---
+title: Policy CSP - Wifi
+description: Policy CSP - Wifi
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - Wifi
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## Wifi policies  
+
+<!--StartPolicy-->
+<a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
+
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">This policy has been deprecated.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-allowautoconnecttowifisensehotspots"></a>**Wifi/AllowAutoConnectToWiFiSenseHotspots**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow or disallow the device to automatically connect to Wi-Fi hotspots.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Not allowed.
+-   1 (default) – Allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-allowinternetsharing"></a>**Wifi/AllowInternetSharing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow or disallow internet sharing.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – Do not allow the use of Internet Sharing.
+-   1 (default) – Allow the use of Internet Sharing.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-allowmanualwificonfiguration"></a>**Wifi/AllowManualWiFiConfiguration**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
+-   1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+> [!NOTE]
+> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-allowwifi"></a>**Wifi/AllowWiFi**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow or disallow WiFi connection.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – WiFi connection is not allowed.
+-   1 (default) – WiFi connection is allowed.
+
+<p style="margin-left: 20px">Most restricted value is 0.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-allowwifidirect"></a>**Wifi/AllowWiFiDirect**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allow WiFi Direct connection..
+
+- 0 - WiFi Direct connection is not allowed.
+- 1 - WiFi Direct connection is allowed.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wifi-wlanscanmode"></a>**Wifi/WLANScanMode**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
+
+<p style="margin-left: 20px">Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
+
+<p style="margin-left: 20px">The default value is 0.
+
+<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Wifi policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)  
+-   [Wifi/AllowWiFi](#wifi-allowwifi)  
+<!--EndEAS-->
+
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Wifi policies supported by IoT Core  
+
+-   [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)  
+-   [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)  
+-   [Wifi/AllowWiFi](#wifi-allowwifi)  
+-   [Wifi/WLANScanMode](#wifi-wlanscanmode)  
+<!--EndIoTCore-->
+
+<!--StartSurfaceHub-->
+ 
+<!--EndSurfaceHub-->
+
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
new file mode 100644
index 0000000000..1562806a3e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -0,0 +1,526 @@
+---
+title: Policy CSP - WindowsDefenderSecurityCenter
+description: Policy CSP - WindowsDefenderSecurityCenter
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - WindowsDefenderSecurityCenter
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## WindowsDefenderSecurityCenter policies  
+
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-companyname"></a>**WindowsDefenderSecurityCenter/CompanyName**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disableappbrowserui"></a>**WindowsDefenderSecurityCenter/DisableAppBrowserUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disableenhancednotifications"></a>**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
+
+> [!Note]  
+> If Suppress notification is enabled then users will not see critical or non-critical messages.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users..
+- 1 - (Enable) Windows Defender Security Center only display notifications which are considered critical on clients.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablefamilyui"></a>**WindowsDefenderSecurityCenter/DisableFamilyUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the family options area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablehealthui"></a>**WindowsDefenderSecurityCenter/DisableHealthUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablenetworkui"></a>**WindowsDefenderSecurityCenter/DisableNetworkUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablenotifications"></a>**WindowsDefenderSecurityCenter/DisableNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of Windows Defender Security Center notifications.
+- 1 - (Enable) The users cannot see the display of Windows Defender Security Center notifications.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disablevirusui"></a>**WindowsDefenderSecurityCenter/DisableVirusUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete. Valid values:
+
+- 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center.
+- 1 - (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-disallowexploitprotectionoverride"></a>**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace and Delete.Valid values:
+
+- 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area.
+- 1 - (Enable) Local users cannot make changes in the exploit protection settings area.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-email"></a>**WindowsDefenderSecurityCenter/Email**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-enablecustomizedtoasts"></a>**WindowsDefenderSecurityCenter/EnableCustomizedToasts**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+
+- 0 - (Disable) Notifications contain a default notification text.
+- 1 - (Enable) Notifications contain the company name and contact options.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-enableinappcustomization"></a>**WindowsDefenderSecurityCenter/EnableInAppCustomization**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete. Valid values:
+
+- 0 - (Disable) Do not display the company name and contact options in the card fly out notification.
+- 1 - (Enable) Display the company name and contact options in the card fly out notification.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-phone"></a>**WindowsDefenderSecurityCenter/Phone**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
+
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsdefendersecuritycenter-url"></a>**WindowsDefenderSecurityCenter/URL**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
+
+<p style="margin-left: 20px">Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
new file mode 100644
index 0000000000..aea0a2de88
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -0,0 +1,104 @@
+---
+title: Policy CSP - WindowsInkWorkspace
+description: Policy CSP - WindowsInkWorkspace
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - WindowsInkWorkspace
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## WindowsInkWorkspace policies  
+
+<!--StartPolicy-->
+<a href="" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
+
+-   0 - app suggestions are not allowed.
+-   1 (default) -allow app suggestions.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowsinkworkspace-allowwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowWindowsInkWorkspace**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+<p style="margin-left: 20px">Value type is int. The following list shows the supported values:
+
+-   0 - access to ink workspace is disabled. The feature is turned off.
+-   1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
+-   2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
new file mode 100644
index 0000000000..c0d3fb1bdc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -0,0 +1,170 @@
+---
+title: Policy CSP - WindowsLogon
+description: Policy CSP - WindowsLogon
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - WindowsLogon
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## WindowsLogon policies  
+
+<!--StartPolicy-->
+<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to prevent app notifications from appearing on the lock screen.
+
+If you enable this policy setting, no app notifications are displayed on the lock screen.
+
+If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Turn off app notifications on the lock screen*
+-   GP name: *DisableLockScreenAppNotifications*
+-   GP ADMX file name: *logon.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
+
+If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
+
+If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
+
+<!--EndDescription-->
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!--StartADMX-->
+ADMX Info:  
+-   GP english name: *Do not display network selection UI*
+-   GP name: *DontDisplayNetworkSelectionUI*
+-   GP ADMX file name: *logon.admx*
+
+<!--EndADMX-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
+
+-   0 (default) - Diabled (visible).
+-   1 - Enabled (hidden).
+
+<p style="margin-left: 20px">To validate on Desktop, do the following:
+
+1.   Enable policy.
+2.   Verify that the Switch account button in Start is hidden.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
new file mode 100644
index 0000000000..7662a3bdcb
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -0,0 +1,220 @@
+---
+title: Policy CSP - WirelessDisplay
+description: Policy CSP - WirelessDisplay
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 07/14/2017
+---
+
+# Policy CSP - WirelessDisplay
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+<!--StartPolicies-->
+<hr/>
+
+## WirelessDisplay policies  
+
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.  
+
+- 0 - your PC cannot discover or project to other devices.
+- 1 - your PC can discover and project to other devices
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.  
+
+- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
+- 1 - your PC can discover and project to other devices over infrastructure.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-allowprojectiontopc"></a>**WirelessDisplay/AllowProjectionToPC**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
+
+<p style="margin-left: 20px">If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
+
+<p style="margin-left: 20px">Value type is integer. Valid value:
+
+-   0 - projection to PC is not allowed. Always off and the user cannot enable it.
+-   1 (default) - projection to PC is allowed. Enabled only above the lock screen.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.  
+
+- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
+- 1 - your PC is discoverable and other devices can project to it over infrastructure.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**  
+
+<!--StartSKU-->
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="wirelessdisplay-requirepinforpairing"></a>**WirelessDisplay/RequirePinForPairing**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
+
+<p style="margin-left: 20px">If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
+
+<p style="margin-left: 20px">Value type is integer. Valid value:
+
+-   0 (default) - PIN is not required.
+-   1 - PIN is required.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+
+<!--EndPolicies-->
+
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 1d12982cbe..ec16e08ca7 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,11 +7,14 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 06/30/2017
 ---
 
 # Policy DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 You can download the DDF files from the links below:
@@ -20,7 +23,7 @@ You can download the DDF files from the links below:
 - [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the DDF for Windows 10, version 1703.
+The XML below is the DDF for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -442,6 +445,100 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Education</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowUserPrinterInstallation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Boolean that specifies whether or not to allow user to install new printers</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DefaultPrinterName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy sets user's default printer</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PrinterNames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy provisions per-user network printers</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>EnterpriseCloudPrint</NodeName>
         <DFProperties>
@@ -891,6 +988,78 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowAutoComplete</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCertificateAddressMismatchWarning</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeletingBrowsingHistoryOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowEnhancedProtectedMode</NodeName>
           <DFProperties>
@@ -1251,6 +1420,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowSoftwareWhenSignatureIsInvalid</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
           <DFProperties>
@@ -1323,6 +1516,78 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>CheckServerCertificateRevocation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CheckSignaturesOnDownloadedPrograms</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConsistentMimeHandlingInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableAdobeFlash</NodeName>
           <DFProperties>
@@ -1347,6 +1612,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableBlockingOfOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
           <DFProperties>
@@ -1395,6 +1684,54 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableConfiguringHistory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCrashDetection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
           <DFProperties>
@@ -1419,6 +1756,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableEnclosureDownloading</NodeName>
           <DFProperties>
@@ -1539,6 +1900,78 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableIgnoringCertificateErrors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInPrivateBrowsing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProcessesInEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableProxyChange</NodeName>
           <DFProperties>
@@ -1611,6 +2044,54 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableSecuritySettingsCheck</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotAllowActiveXControlsInProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DoNotBlockOutdatedActiveXControls</NodeName>
           <DFProperties>
@@ -1779,6 +2260,54 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowFontDownloads</NodeName>
           <DFProperties>
@@ -1827,6 +2356,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
           <DFProperties>
@@ -1851,6 +2404,102 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowScriptlets</NodeName>
           <DFProperties>
@@ -1899,6 +2548,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
           <DFProperties>
@@ -1923,6 +2596,246 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -1947,6 +2860,126 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -1971,6 +3004,126 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneUsePopupBlocker</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -2451,6 +3604,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -2475,6 +3652,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -2739,6 +3940,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownInternetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -3267,6 +4492,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownLocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -3531,6 +4780,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownRestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -3795,6 +5068,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownTrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -3819,6 +5116,198 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>MimeSniffingSafetyFeatureInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MKProtocolSecurityRestrictionInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NotificationBarInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventManagingSmartScreenFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventPerUserInstallationOfActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProtectionFromZoneElevationInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RemoveRunThisTimeButtonForOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictActiveXInstallInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -3843,6 +5332,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowActiveScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
           <DFProperties>
@@ -3892,7 +5405,127 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
+          <NodeName>RestrictedSitesZoneAllowBinaryAndScriptBehaviors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFileDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -3939,6 +5572,54 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowLoadingOfXAMLFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowMETAREFRESH</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
           <DFProperties>
@@ -3963,6 +5644,102 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
           <DFProperties>
@@ -4011,6 +5788,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
           <DFProperties>
@@ -4035,6 +5836,174 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -4059,6 +6028,78 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -4083,6 +6124,270 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunActiveXControlsAndPlugins</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictFileDownloadInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>SearchProviderList</NodeName>
           <DFProperties>
@@ -4107,6 +6412,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>SpecifyUseOfActiveXInstallerService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -4347,6 +6676,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -4371,6 +6724,54 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>Notifications</NodeName>
@@ -4642,10 +7043,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>RequirePrivateStoreOnly</NodeName>
-            <DFProperties>
+          <NodeName>RequirePrivateStoreOnly</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -4653,15 +7054,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -4684,10 +7085,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DoNotPreserveZoneInformation</NodeName>
-            <DFProperties>
+          <NodeName>DoNotPreserveZoneInformation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4695,25 +7096,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_MarkZoneOnSavedAtttachments</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideZoneInfoMechanism</NodeName>
-            <DFProperties>
+          <NodeName>HideZoneInfoMechanism</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4721,25 +7122,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_RemoveZoneInfo</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>NotifyAntivirusPrograms</NodeName>
-            <DFProperties>
+          <NodeName>NotifyAntivirusPrograms</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4747,19 +7148,19 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AttachmentManager.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AttachmentManager~AT~WindowsComponents~AM_AM</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AM_CallIOfficeAntiVirus</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -4782,10 +7183,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowEAPCertSSO</NodeName>
-            <DFProperties>
+          <NodeName>AllowEAPCertSSO</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -4793,15 +7194,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -4824,10 +7225,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisallowAutoplayForNonVolumeDevices</NodeName>
-            <DFProperties>
+          <NodeName>DisallowAutoplayForNonVolumeDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4835,25 +7236,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutoplayfornonVolume</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetDefaultAutoRunBehavior</NodeName>
-            <DFProperties>
+          <NodeName>SetDefaultAutoRunBehavior</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4861,25 +7262,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutorun</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TurnOffAutoPlay</NodeName>
-            <DFProperties>
+          <NodeName>TurnOffAutoPlay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4887,19 +7288,19 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Autorun</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -4922,10 +7323,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisablePasswordReveal</NodeName>
-            <DFProperties>
+          <NodeName>DisablePasswordReveal</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4933,19 +7334,19 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePasswordReveal</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -4968,10 +7369,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>PreventUserRedirectionOfProfileFolders</NodeName>
-            <DFProperties>
+          <NodeName>PreventUserRedirectionOfProfileFolders</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -4979,19 +7380,105 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>desktop.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>desktop~AT~Desktop</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePersonalDirChange</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Education</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowUserPrinterInstallation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Boolean that specifies whether or not to allow user to install new printers</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DefaultPrinterName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy sets user's default printer</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PrinterNames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy provisions per-user network printers</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -5014,10 +7501,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>CloudPrinterDiscoveryEndPoint</NodeName>
-            <DFProperties>
+          <NodeName>CloudPrinterDiscoveryEndPoint</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy provisions per-user discovery end point to discover cloud printers</Description>
             <DefaultValue></DefaultValue>
@@ -5025,21 +7512,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>CloudPrintOAuthAuthority</NodeName>
-            <DFProperties>
+          <NodeName>CloudPrintOAuthAuthority</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Authentication endpoint for acquiring OAuth tokens</Description>
             <DefaultValue></DefaultValue>
@@ -5047,21 +7534,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>CloudPrintOAuthClientId</NodeName>
-            <DFProperties>
+          <NodeName>CloudPrintOAuthClientId</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority</Description>
             <DefaultValue>E1CF1107-FF90-4228-93BF-26052DD2C714</DefaultValue>
@@ -5069,21 +7556,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>CloudPrintResourceId</NodeName>
-            <DFProperties>
+          <NodeName>CloudPrintResourceId</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication</Description>
             <DefaultValue></DefaultValue>
@@ -5091,21 +7578,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DiscoveryMaxPrinterLimit</NodeName>
-            <DFProperties>
+          <NodeName>DiscoveryMaxPrinterLimit</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Defines the maximum number of printers that should be queried from discovery end point</Description>
             <DefaultValue>20</DefaultValue>
@@ -5113,21 +7600,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MopriaDiscoveryResourceId</NodeName>
-            <DFProperties>
+          <NodeName>MopriaDiscoveryResourceId</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication</Description>
             <DefaultValue></DefaultValue>
@@ -5135,15 +7622,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -5166,10 +7653,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowTailoredExperiencesWithDiagnosticData</NodeName>
-            <DFProperties>
+          <NodeName>AllowTailoredExperiencesWithDiagnosticData</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5177,21 +7664,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowThirdPartySuggestionsInWindowsSpotlight</NodeName>
-            <DFProperties>
+          <NodeName>AllowThirdPartySuggestionsInWindowsSpotlight</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5199,22 +7686,22 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsConsumerFeatures</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsConsumerFeatures</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -5222,22 +7709,22 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsSpotlight</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsSpotlight</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5245,22 +7732,22 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsSpotlightOnActionCenter</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsSpotlightOnActionCenter</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5268,21 +7755,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsSpotlightWindowsWelcomeExperience</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsSpotlightWindowsWelcomeExperience</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5290,21 +7777,21 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ConfigureWindowsSpotlightOnLockScreen</NodeName>
-            <DFProperties>
+          <NodeName>ConfigureWindowsSpotlightOnLockScreen</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -5312,16 +7799,16 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -5344,10 +7831,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AddSearchProvider</NodeName>
-            <DFProperties>
+          <NodeName>AddSearchProvider</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5355,25 +7842,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowActiveXFiltering</NodeName>
-            <DFProperties>
+          <NodeName>AllowActiveXFiltering</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5381,25 +7868,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TurnOnActiveXFiltering</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowAddOnList</NodeName>
-            <DFProperties>
+          <NodeName>AllowAddOnList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5407,25 +7894,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddonManagement_AddOnList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnhancedProtectedMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoComplete</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5433,25 +7920,103 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictFormSuggestPW</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCertificateAddressMismatchWarning</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWarnCertMismatch</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeletingBrowsingHistoryOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DBHDisableDeleteOnExit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnterpriseModeFromToolsMenu</NodeName>
-            <DFProperties>
+          <NodeName>AllowEnterpriseModeFromToolsMenu</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5459,25 +8024,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeEnable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnterpriseModeSiteList</NodeName>
-            <DFProperties>
+          <NodeName>AllowEnterpriseModeSiteList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5485,25 +8050,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeSiteList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetExplorer7PolicyList </NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5511,25 +8076,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_UsePolicyList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetExplorerStandardsMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetExplorerStandardsMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5537,25 +8102,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_IntranetSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5563,25 +8128,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowIntranetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowIntranetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5589,25 +8154,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLocalMachineZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLocalMachineZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5615,25 +8180,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownInternetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownInternetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5641,25 +8206,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownIntranetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownIntranetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5667,25 +8232,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownLocalMachineZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownLocalMachineZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5693,25 +8258,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownRestrictedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownRestrictedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5719,25 +8284,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowOneWordEntry</NodeName>
-            <DFProperties>
+          <NodeName>AllowOneWordEntry</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5745,25 +8310,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>UseIntranetSiteForOneWordEntry</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSiteToZoneAssignmentList</NodeName>
-            <DFProperties>
+          <NodeName>AllowSiteToZoneAssignmentList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5771,25 +8336,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Zonemaps</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowsLockedDownTrustedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowsLockedDownTrustedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5797,25 +8362,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowSoftwareWhenSignatureIsInvalid</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5823,25 +8388,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_InvalidSignatureBlock</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSuggestedSites</NodeName>
-            <DFProperties>
+          <NodeName>AllowSuggestedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5849,25 +8440,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableSuggestedSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowTrustedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowTrustedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5875,25 +8466,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableAdobeFlash</NodeName>
-            <DFProperties>
+          <NodeName>CheckServerCertificateRevocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5901,25 +8492,103 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_CertificateRevocation</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CheckSignaturesOnDownloadedPrograms</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DownloadSignatures</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConsistentMimeHandlingInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableAdobeFlash</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableFlashInIE</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
-            <DFProperties>
+          <NodeName>DisableBlockingOfOutdatedActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -5927,311 +8596,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>DisableSafetyFilterOverride</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableBypassOfSmartScreenWarningsAboutUncommonFiles</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>DisableSafetyFilterOverrideForAppRepUnknown</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableEnclosureDownloading</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableEncryptionSupport</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableFirstRunWizard</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableFlipAheadFeature</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableHomePageChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>RestrictHomePage</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableProxyChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>RestrictProxy</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableSearchProviderChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableSecondaryHomePageChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DoNotBlockOutdatedActiveXControls</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotBlockOutdatedActiveXControlsOnSpecificDomains</NodeName>
-            <DFProperties>
+          <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6239,25 +8622,545 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableSafetyFilterOverride</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableBypassOfSmartScreenWarningsAboutUncommonFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableSafetyFilterOverrideForAppRepUnknown</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableConfiguringHistory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictHistory</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCrashDetection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AddonManagement_RestrictCrashDetection</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DBHDisableDeleteHistory</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEnclosureDownloading</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEncryptionSupport</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFirstRunWizard</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFlipAheadFeature</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableHomePageChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictHomePage</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableIgnoringCertificateErrors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoCertError</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInPrivateBrowsing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableInPrivateBrowsing</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProcessesInEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode64Bit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProxyChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictProxy</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSearchProviderChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSecondaryHomePageChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSecuritySettingsCheck</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Security_Settings_Check</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotAllowActiveXControlsInProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DisableEPMCompat</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotBlockOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotBlockOutdatedActiveXControlsOnSpecificDomains</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDomainAllowlist</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IncludeAllLocalSites</NodeName>
-            <DFProperties>
+          <NodeName>IncludeAllLocalSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6265,25 +9168,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_IncludeUnspecifiedLocalSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IncludeAllNetworkPaths</NodeName>
-            <DFProperties>
+          <NodeName>IncludeAllNetworkPaths</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6291,25 +9194,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_UNCAsIntranet</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6317,25 +9220,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6343,25 +9246,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6369,25 +9272,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6395,25 +9298,77 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6421,25 +9376,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6447,25 +9402,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_XAML_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6473,25 +9454,129 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_LocalMachine</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptlets</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6499,25 +9584,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6525,25 +9610,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6551,25 +9662,285 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_LocalMachine</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6577,25 +9948,155 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLogon_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6603,25 +10104,155 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneUsePopupBlocker</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6629,25 +10260,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6655,25 +10286,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6681,25 +10312,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6707,25 +10338,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6733,25 +10364,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6759,25 +10390,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6785,25 +10416,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6811,25 +10442,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6837,25 +10468,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6863,25 +10494,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6889,25 +10520,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6915,25 +10546,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6941,25 +10572,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6967,25 +10598,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -6993,25 +10624,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7019,25 +10650,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7045,25 +10676,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7071,25 +10702,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7097,25 +10728,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7123,25 +10754,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7149,25 +10806,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7175,25 +10858,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7201,25 +10884,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7227,25 +10910,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7253,25 +10936,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7279,25 +10962,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7305,25 +10988,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7331,25 +11014,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7357,25 +11040,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7383,25 +11066,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7409,25 +11092,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7435,25 +11118,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7461,25 +11170,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7487,25 +11196,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7513,25 +11222,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7539,25 +11248,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7565,25 +11274,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7591,25 +11300,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7617,25 +11326,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7643,25 +11352,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7669,25 +11378,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7695,25 +11404,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7721,25 +11430,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7747,25 +11456,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7773,25 +11482,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7799,25 +11508,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7825,25 +11534,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7851,25 +11560,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7877,25 +11586,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7903,25 +11612,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7929,25 +11638,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7955,25 +11664,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -7981,25 +11690,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8007,25 +11716,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_10</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8033,25 +11768,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8059,25 +11794,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8085,25 +11820,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8111,25 +11846,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8137,25 +11872,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8163,25 +11898,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8189,25 +11924,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8215,25 +11950,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8241,25 +11976,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8267,25 +12002,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8293,25 +12028,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_8</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8319,25 +12080,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8345,25 +12106,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8371,25 +12132,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8397,25 +12158,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8423,25 +12184,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8449,25 +12210,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8475,25 +12236,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8501,25 +12262,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8527,25 +12288,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8553,25 +12314,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8579,25 +12340,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>MimeSniffingSafetyFeatureInternetExplorerProcesses</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8605,25 +12392,233 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MKProtocolSecurityRestrictionInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NotificationBarInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_10</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventManagingSmartScreenFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventPerUserInstallationOfActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisablePerUserActiveXInstall</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProtectionFromZoneElevationInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RemoveRunThisTimeButtonForOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VerMgmtDisableRunThisTime</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictActiveXInstallInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_11</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowActiveScripting</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8631,25 +12626,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8657,25 +12678,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowBinaryAndScriptBehaviors</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8683,25 +12704,129 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFileDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8709,25 +12834,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowLoadingOfXAMLFiles</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8735,25 +12886,77 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_XAML_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowMETAREFRESH</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8761,25 +12964,129 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8787,25 +13094,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8813,25 +13120,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8839,25 +13172,207 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8865,25 +13380,103 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLogon_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SearchProviderList</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8891,25 +13484,311 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunActiveXControlsAndPlugins</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictFileDownloadInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_12</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_8</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SearchProviderList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SpecificSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>SpecifyUseOfActiveXInstallerService</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8917,25 +13796,51 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>OnlyUseAXISForActiveXInstall</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8943,25 +13848,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8969,25 +13874,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -8995,25 +13900,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9021,25 +13926,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9047,25 +13952,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9073,25 +13978,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9099,25 +14004,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9125,25 +14030,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9151,25 +14056,25 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9177,19 +14082,97 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_5</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -9212,10 +14195,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisallowNotificationMirroring</NodeName>
-            <DFProperties>
+          <NodeName>DisallowNotificationMirroring</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -9223,15 +14206,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -9254,10 +14237,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>PointAndPrintRestrictions_User</NodeName>
-            <DFProperties>
+          <NodeName>PointAndPrintRestrictions_User</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9265,19 +14248,19 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Printing.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing~AT~ControlPanel~CplPrinters</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PointAndPrint_Restrictions</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -9300,10 +14283,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>ConfigureTaskbarCalendar</NodeName>
-            <DFProperties>
+          <NodeName>ConfigureTaskbarCalendar</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -9311,15 +14294,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -9342,10 +14325,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>StartLayout</NodeName>
-            <DFProperties>
+          <NodeName>StartLayout</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -9353,16 +14336,16 @@ The XML below is the DDF for Windows 10, version 1703.
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -9385,10 +14368,10 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowTelemetry</NodeName>
-            <DFProperties>
+          <NodeName>AllowTelemetry</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>3</DefaultValue>
@@ -9396,15 +14379,15 @@ The XML below is the DDF for Windows 10, version 1703.
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
     </Node>
@@ -9659,6 +14642,87 @@ The XML below is the DDF for Windows 10, version 1703.
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>AccountPolicies</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>MinDevicePasswordLength</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PasswordMustMeetComplexityRequirement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This security setting determines whether passwords must meet complexity requirements.
+
+If this policy is enabled, passwords must meet the following minimum requirements:
+
+Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+Be at least six characters in length
+Contain characters from three of the following four categories:
+English uppercase characters (A through Z)
+English lowercase characters (a through z)
+Base 10 digits (0 through 9)
+Non-alphabetic characters (for example, !, $, #, %)
+Complexity requirements are enforced when passwords are changed or created.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Accounts</NodeName>
         <DFProperties>
@@ -10870,6 +15934,30 @@ The XML below is the DDF for Windows 10, version 1703.
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowFidoDeviceSignon</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Specifies whether FIDO device can be used to sign on.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowSecondaryAuthenticationDevice</NodeName>
           <DFProperties>
@@ -11449,7 +16537,7 @@ The XML below is the DDF for Windows 10, version 1703.
             </AccessType>
             <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
 
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
 
 If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
             <DFFormat>
@@ -11760,7 +16848,7 @@ Example:
 If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
 Encapsulate each string with greater than and less than characters like any other XML tag.
 
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
             <DFFormat>
               <chr/>
             </DFFormat>
@@ -12072,6 +17160,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>Cellular</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>ShowAppCellularAccessUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Connectivity</NodeName>
         <DFProperties>
@@ -12285,6 +17419,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DiablePrintingOverHTTP</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableDownloadingOfPrintDriversOverHTTP</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisallowNetworkConnectivityActiveTests</NodeName>
           <DFProperties>
@@ -12333,6 +17539,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>ProhibitInstallationAndConfigurationOfNetworkBridge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>CredentialProviders</NodeName>
@@ -13017,6 +18247,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AttackSurfaceReductionOnlyExclusions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AttackSurfaceReductionRules</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AvgCPULoadFactor</NodeName>
           <DFProperties>
@@ -13041,6 +18319,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>CloudBlockLevel</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CloudExtendedTimeout</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DaysToRetainCleanedMalware</NodeName>
           <DFProperties>
@@ -13065,6 +18391,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>EnableGuardMyFolders</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableNetworkProtection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>ExcludedExtensions</NodeName>
           <DFProperties>
@@ -13137,6 +18511,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>GuardedFoldersAllowedApplications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>GuardedFoldersList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PUAProtection</NodeName>
           <DFProperties>
@@ -13760,6 +19182,100 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>DeviceGuard</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>EnableVirtualizationBasedSecurity</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Turns On Virtualization Based Security(VBS)</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LsaCfgFlags</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequirePlatformSecurityFeatures</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>DeviceInstallation</NodeName>
         <DFProperties>
@@ -14004,7 +19520,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <Get />
               <Replace />
             </AccessType>
-            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
+            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -14187,6 +19703,34 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>MinimumPasswordAge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
+
+The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
+
+Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventLockScreenSlideShow</NodeName>
           <DFProperties>
@@ -15063,6 +20607,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowCertificateAddressMismatchWarning</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeletingBrowsingHistoryOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowEnhancedProtectedMode</NodeName>
           <DFProperties>
@@ -15135,6 +20727,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowFallbackToSSL3</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowInternetExplorer7PolicyList </NodeName>
           <DFProperties>
@@ -15423,6 +21039,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowSoftwareWhenSignatureIsInvalid</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
           <DFProperties>
@@ -15495,6 +21135,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>CheckServerCertificateRevocation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CheckSignaturesOnDownloadedPrograms</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConsistentMimeHandlingInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableAdobeFlash</NodeName>
           <DFProperties>
@@ -15519,6 +21231,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableBlockingOfOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
           <DFProperties>
@@ -15567,6 +21303,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableConfiguringHistory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCrashDetection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
           <DFProperties>
@@ -15591,6 +21375,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableEnclosureDownloading</NodeName>
           <DFProperties>
@@ -15687,6 +21495,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableIgnoringCertificateErrors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInPrivateBrowsing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProcessesInEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableProxyChange</NodeName>
           <DFProperties>
@@ -15759,6 +21639,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisableSecuritySettingsCheck</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DisableUpdateCheck</NodeName>
           <DFProperties>
@@ -15783,6 +21687,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DoNotAllowActiveXControlsInProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>DoNotAllowUsersToAddSites</NodeName>
           <DFProperties>
@@ -15999,6 +21927,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowFontDownloads</NodeName>
           <DFProperties>
@@ -16047,6 +22023,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
           <DFProperties>
@@ -16071,6 +22071,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowScriptlets</NodeName>
           <DFProperties>
@@ -16119,6 +22215,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
           <DFProperties>
@@ -16143,6 +22263,246 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -16167,6 +22527,126 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -16191,6 +22671,126 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneUsePopupBlocker</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -16671,6 +23271,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -16695,6 +23319,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -16959,6 +23607,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownInternetZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -17487,6 +24159,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownLocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -17751,6 +24447,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownRestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -18015,6 +24735,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LockedDownTrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -18039,6 +24783,198 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>MimeSniffingSafetyFeatureInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MKProtocolSecurityRestrictionInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NotificationBarInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventManagingSmartScreenFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventPerUserInstallationOfActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProtectionFromZoneElevationInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RemoveRunThisTimeButtonForOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictActiveXInstallInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -18063,6 +24999,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowActiveScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
           <DFProperties>
@@ -18112,7 +25072,127 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
         <Node>
-          <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
+          <NodeName>RestrictedSitesZoneAllowBinaryAndScriptBehaviors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFileDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -18159,6 +25239,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowLoadingOfXAMLFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowMETAREFRESH</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
           <DFProperties>
@@ -18183,6 +25311,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
           <DFProperties>
@@ -18231,6 +25455,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
           <DFProperties>
@@ -18255,6 +25503,174 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
           <DFProperties>
@@ -18279,6 +25695,78 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -18303,6 +25791,270 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunActiveXControlsAndPlugins</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictFileDownloadInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>SearchProviderList</NodeName>
           <DFProperties>
@@ -18327,6 +26079,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>SecurityZonesUseOnlyMachineSettings</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyUseOfActiveXInstallerService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
           <DFProperties>
@@ -18567,6 +26367,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
           <DFProperties>
@@ -18591,6 +26415,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>Kerberos</NodeName>
@@ -18804,6 +26676,897 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>LocalPoliciesSecurityOptions</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Accounts_BlockMicrosoftAccounts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_EnableAdministratorAccountStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This security setting determines whether the local Administrator account is enabled or disabled.
+
+Notes
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_EnableGuestAccountStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+Notes
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_RenameAdministratorAccount</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_RenameGuestAccount</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive Logon:Display user information when the session is locked
+User display name, domain and user names (1)
+User display name only (2)
+Do not display user information (3)</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotDisplayLastSignedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Don't display last signed-in
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotDisplayUsernameAtSignIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Don't display username at sign-in
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotRequireCTRLALTDEL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows  8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MachineInactivityLimit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MessageTextForUsersAttemptingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccountsAndShares</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkSecurity_AllowPKU2UAuthenticationRequests</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RecoveryConsole_AllowAutomaticAdministrativeLogon</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Shutdown_ClearVirtualMemoryPageFile</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Shutdown: Clear virtual memory pagefile
+
+This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
+
+Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.
+
+When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
+
+Default: Disabled.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_RunAllAdministratorsInAdminApprovalMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_UseAdminApprovalMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Use Admin Approval Mode for the built-in Administrator account
+
+This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+• Disabled: Applications that write data to protected locations fail.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Location</NodeName>
         <DFProperties>
@@ -19319,6 +28082,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>DisplayOffTimeoutOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisplayOffTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HibernateTimeoutOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HibernateTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>RequirePasswordWhenComputerWakesOnBattery</NodeName>
           <DFProperties>
@@ -19367,6 +28226,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>StandbyTimeoutOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>StandbyTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>Printers</NodeName>
@@ -19531,6 +28438,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>EnableActivityFeed</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LetAppsAccessAccountInfo</NodeName>
           <DFProperties>
@@ -19915,6 +28846,102 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>LetAppsAccessContacts</NodeName>
           <DFProperties>
@@ -21259,6 +30286,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>PublishUserActivities</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Allows apps/system to publish 'User Activities' into ActivityFeed.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
       </Node>
       <Node>
         <NodeName>RemoteAssistance</NodeName>
@@ -21544,6 +30595,388 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>RemoteManagement</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowBasicAuthentication_Client</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowBasicAuthentication_Service</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCredSSPAuthenticationClient</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCredSSPAuthenticationService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowRemoteServerManagement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowUnencryptedTraffic_Client</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowUnencryptedTraffic_Service</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowDigestAuthentication</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowNegotiateAuthenticationClient</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowNegotiateAuthenticationService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowStoringOfRunAsCredentials</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyChannelBindingTokenHardeningLevel</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedHosts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TurnOnCompatibilityHTTPListener</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TurnOnCompatibilityHTTPSListener</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>RemoteProcedureCall</NodeName>
         <DFProperties>
@@ -21614,6 +31047,196 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>RemoteShell</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowRemoteShellAccess</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MaxConcurrentUsers</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyIdleTimeout</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxMemory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxRemoteShells</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyShellTimeout</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>Search</NodeName>
         <DFProperties>
@@ -22017,6 +31640,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>ClearTPMIfNotReady</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</NodeName>
           <DFProperties>
@@ -22969,6 +32616,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>HidePeopleBar</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>HidePowerButton</NodeName>
           <DFProperties>
@@ -23550,7 +33221,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <Get />
               <Replace />
             </AccessType>
-            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
+            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
             <DFFormat>
               <int/>
             </DFFormat>
@@ -24087,6 +33758,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>AllowAutoWindowsUpdateDownloadOverMeteredNetwork</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowMUUpdateService</NodeName>
           <DFProperties>
@@ -24543,6 +34238,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>ManageBuildPreview</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>PauseDeferrals</NodeName>
           <DFProperties>
@@ -24759,6 +34478,126 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             </DFType>
           </DFProperties>
         </Node>
+        <Node>
+          <NodeName>ScheduledInstallEveryWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallFirstWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallFourthWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallSecondWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallThirdWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>ScheduledInstallTime</NodeName>
           <DFProperties>
@@ -25094,6 +34933,364 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
       </Node>
+      <Node>
+        <NodeName>WindowsDefenderSecurityCenter</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Get />
+            <Delete />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrOne />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>CompanyName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableAppBrowserUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEnhancedNotifications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFamilyUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableHealthUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableNetworkUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableNotifications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableVirusUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowExploitProtectionOverride</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Email</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableCustomizedToasts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableInAppCustomization</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Phone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>URL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description></Description>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
       <Node>
         <NodeName>WindowsInkWorkspace</NodeName>
         <DFProperties>
@@ -25279,6 +35476,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
             <DDFName></DDFName>
           </DFType>
         </DFProperties>
+        <Node>
+          <NodeName>AllowMdnsAdvertisement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowMdnsDiscovery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Add />
+              <Delete />
+              <Get />
+              <Replace />
+            </AccessType>
+            <Description>This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.</Description>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <ZeroOrOne />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
         <Node>
           <NodeName>AllowProjectionFromPC</NodeName>
           <DFProperties>
@@ -25474,10 +35719,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowActionCenterNotifications</NodeName>
-            <DFProperties>
+          <NodeName>AllowActionCenterNotifications</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25485,22 +35730,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCortanaAboveLock</NodeName>
-            <DFProperties>
+          <NodeName>AllowCortanaAboveLock</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25508,21 +35753,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowToasts</NodeName>
-            <DFProperties>
+          <NodeName>AllowToasts</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25530,15 +35775,92 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>AccountPolicies</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>MinDevicePasswordLength</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.</Description>
+            <DefaultValue>7</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PasswordMustMeetComplexityRequirement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This security setting determines whether passwords must meet complexity requirements.
+
+If this policy is enabled, passwords must meet the following minimum requirements:
+
+Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+Be at least six characters in length
+Contain characters from three of the following four categories:
+English uppercase characters (A through Z)
+English lowercase characters (a through z)
+Base 10 digits (0 through 9)
+Non-alphabetic characters (for example, !, $, #, %)
+Complexity requirements are enforced when passwords are changed or created.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -25561,10 +35883,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAddingNonMicrosoftAccountsManually</NodeName>
-            <DFProperties>
+          <NodeName>AllowAddingNonMicrosoftAccountsManually</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25572,21 +35894,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowMicrosoftAccountConnection</NodeName>
-            <DFProperties>
+          <NodeName>AllowMicrosoftAccountConnection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25594,21 +35916,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowMicrosoftAccountSignInAssistant</NodeName>
-            <DFProperties>
+          <NodeName>AllowMicrosoftAccountSignInAssistant</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25616,21 +35938,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DomainNamesForEmailSync</NodeName>
-            <DFProperties>
+          <NodeName>DomainNamesForEmailSync</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -25638,15 +35960,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -25669,10 +35991,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>ApprovedInstallationSites</NodeName>
-            <DFProperties>
+          <NodeName>ApprovedInstallationSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -25680,19 +36002,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ActiveXInstallService.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ActiveXInstallService~AT~WindowsComponents~AxInstSv</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ApprovedActiveXInstallSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -25715,10 +36037,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DefaultAssociationsConfiguration</NodeName>
-            <DFProperties>
+          <NodeName>DefaultAssociationsConfiguration</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -25726,16 +36048,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -25758,10 +36080,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAllTrustedApps</NodeName>
-            <DFProperties>
+          <NodeName>AllowAllTrustedApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>65535</DefaultValue>
@@ -25769,21 +36091,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowAppStoreAutoUpdate</NodeName>
-            <DFProperties>
+          <NodeName>AllowAppStoreAutoUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>2</DefaultValue>
@@ -25791,21 +36113,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDeveloperUnlock</NodeName>
-            <DFProperties>
+          <NodeName>AllowDeveloperUnlock</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>65535</DefaultValue>
@@ -25813,21 +36135,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowGameDVR</NodeName>
-            <DFProperties>
+          <NodeName>AllowGameDVR</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25835,22 +36157,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSharedUserAppData</NodeName>
-            <DFProperties>
+          <NodeName>AllowSharedUserAppData</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -25858,21 +36180,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowStore</NodeName>
-            <DFProperties>
+          <NodeName>AllowStore</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -25880,22 +36202,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ApplicationRestrictions</NodeName>
-            <DFProperties>
+          <NodeName>ApplicationRestrictions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -25903,22 +36225,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableStoreOriginatedApps</NodeName>
-            <DFProperties>
+          <NodeName>DisableStoreOriginatedApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -25926,21 +36248,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictAppDataToSystemVolume</NodeName>
-            <DFProperties>
+          <NodeName>RestrictAppDataToSystemVolume</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -25948,21 +36270,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictAppToSystemVolume</NodeName>
-            <DFProperties>
+          <NodeName>RestrictAppToSystemVolume</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -25970,15 +36292,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -26001,10 +36323,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAppVClient</NodeName>
-            <DFProperties>
+          <NodeName>AllowAppVClient</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26012,25 +36334,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableAppV</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDynamicVirtualization</NodeName>
-            <DFProperties>
+          <NodeName>AllowDynamicVirtualization</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26038,25 +36360,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Virtualization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Virtualization_JITVEnable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPackageCleanup</NodeName>
-            <DFProperties>
+          <NodeName>AllowPackageCleanup</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26064,25 +36386,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_PackageManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PackageManagement_AutoCleanupEnable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPackageScripts</NodeName>
-            <DFProperties>
+          <NodeName>AllowPackageScripts</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26090,25 +36412,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Scripting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Scripting_Enable_Package_Scripts</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPublishingRefreshUX</NodeName>
-            <DFProperties>
+          <NodeName>AllowPublishingRefreshUX</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26116,25 +36438,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Enable_Publishing_Refresh_UX</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowReportingServer</NodeName>
-            <DFProperties>
+          <NodeName>AllowReportingServer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26142,25 +36464,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Reporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Reporting_Server_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRoamingFileExclusions</NodeName>
-            <DFProperties>
+          <NodeName>AllowRoamingFileExclusions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26168,25 +36490,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Roaming_File_Exclusions</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRoamingRegistryExclusions</NodeName>
-            <DFProperties>
+          <NodeName>AllowRoamingRegistryExclusions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26194,25 +36516,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Roaming_Registry_Exclusions</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowStreamingAutoload</NodeName>
-            <DFProperties>
+          <NodeName>AllowStreamingAutoload</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26220,25 +36542,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Steaming_Autoload</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ClientCoexistenceAllowMigrationmode</NodeName>
-            <DFProperties>
+          <NodeName>ClientCoexistenceAllowMigrationmode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26246,25 +36568,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Client_Coexistence</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Client_Coexistence_Enable_Migration_mode</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntegrationAllowRootGlobal</NodeName>
-            <DFProperties>
+          <NodeName>IntegrationAllowRootGlobal</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26272,25 +36594,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Root_User</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntegrationAllowRootUser</NodeName>
-            <DFProperties>
+          <NodeName>IntegrationAllowRootUser</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26298,25 +36620,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Integration</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Integration_Root_Global</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishingAllowServer1</NodeName>
-            <DFProperties>
+          <NodeName>PublishingAllowServer1</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26324,25 +36646,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server1_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishingAllowServer2</NodeName>
-            <DFProperties>
+          <NodeName>PublishingAllowServer2</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26350,25 +36672,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server2_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishingAllowServer3</NodeName>
-            <DFProperties>
+          <NodeName>PublishingAllowServer3</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26376,25 +36698,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server3_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishingAllowServer4</NodeName>
-            <DFProperties>
+          <NodeName>PublishingAllowServer4</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26402,25 +36724,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server4_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishingAllowServer5</NodeName>
-            <DFProperties>
+          <NodeName>PublishingAllowServer5</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26428,25 +36750,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Publishing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Publishing_Server5_Policy</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowCertificateFilterForClient_SSL</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowCertificateFilterForClient_SSL</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26454,25 +36776,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Certificate_Filter_For_Client_SSL</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowHighCostLaunch</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowHighCostLaunch</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26480,25 +36802,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Allow_High_Cost_Launch</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowLocationProvider</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowLocationProvider</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26506,25 +36828,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Location_Provider</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowPackageInstallationRoot</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowPackageInstallationRoot</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26532,25 +36854,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Package_Installation_Root</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowPackageSourceRoot</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowPackageSourceRoot</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26558,25 +36880,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Package_Source_Root</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowReestablishmentInterval</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowReestablishmentInterval</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26584,25 +36906,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Reestablishment_Interval</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingAllowReestablishmentRetries</NodeName>
-            <DFProperties>
+          <NodeName>StreamingAllowReestablishmentRetries</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26610,25 +36932,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Reestablishment_Retries</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingSharedContentStoreMode</NodeName>
-            <DFProperties>
+          <NodeName>StreamingSharedContentStoreMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26636,25 +36958,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Shared_Content_Store_Mode</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingSupportBranchCache</NodeName>
-            <DFProperties>
+          <NodeName>StreamingSupportBranchCache</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26662,25 +36984,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Support_Branch_Cache</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StreamingVerifyCertificateRevocationList</NodeName>
-            <DFProperties>
+          <NodeName>StreamingVerifyCertificateRevocationList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26688,25 +37010,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Streaming</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Streaming_Verify_Certificate_Revocation_List</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>VirtualComponentsAllowList</NodeName>
-            <DFProperties>
+          <NodeName>VirtualComponentsAllowList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26714,19 +37036,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>appv.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>appv~AT~System~CAT_AppV~CAT_Virtualization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Virtualization_JITVAllowList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -26749,10 +37071,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowFastReconnect</NodeName>
-            <DFProperties>
+          <NodeName>AllowFastReconnect</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -26760,21 +37082,44 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSecondaryAuthenticationDevice</NodeName>
-            <DFProperties>
+          <NodeName>AllowFidoDeviceSignon</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>Specifies whether FIDO device can be used to sign on.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowSecondaryAuthenticationDevice</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -26782,15 +37127,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -26813,10 +37158,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisallowAutoplayForNonVolumeDevices</NodeName>
-            <DFProperties>
+          <NodeName>DisallowAutoplayForNonVolumeDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26824,25 +37169,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutoplayfornonVolume</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetDefaultAutoRunBehavior</NodeName>
-            <DFProperties>
+          <NodeName>SetDefaultAutoRunBehavior</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26850,25 +37195,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>NoAutorun</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TurnOffAutoPlay</NodeName>
-            <DFProperties>
+          <NodeName>TurnOffAutoPlay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -26876,19 +37221,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>AutoPlay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>AutoPlay~AT~WindowsComponents~AutoPlay</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Autorun</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -26911,10 +37256,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>EncryptionMethod</NodeName>
-            <DFProperties>
+          <NodeName>EncryptionMethod</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>6</DefaultValue>
@@ -26922,15 +37267,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -26953,10 +37298,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAdvertising</NodeName>
-            <DFProperties>
+          <NodeName>AllowAdvertising</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -26964,21 +37309,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDiscoverableMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowDiscoverableMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -26986,21 +37331,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPrepairing</NodeName>
-            <DFProperties>
+          <NodeName>AllowPrepairing</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -27008,21 +37353,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalDeviceName</NodeName>
-            <DFProperties>
+          <NodeName>LocalDeviceName</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -27030,21 +37375,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ServicesAllowedList</NodeName>
-            <DFProperties>
+          <NodeName>ServicesAllowedList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -27052,15 +37397,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -27083,10 +37428,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAddressBarDropdown</NodeName>
-            <DFProperties>
+          <NodeName>AllowAddressBarDropdown</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27094,22 +37439,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowAutofill</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutofill</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27117,21 +37462,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowBrowser</NodeName>
-            <DFProperties>
+          <NodeName>AllowBrowser</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -27139,22 +37484,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCookies</NodeName>
-            <DFProperties>
+          <NodeName>AllowCookies</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you configure how your company deals with cookies.</Description>
             <DefaultValue>2</DefaultValue>
@@ -27162,21 +37507,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDeveloperTools</NodeName>
-            <DFProperties>
+          <NodeName>AllowDeveloperTools</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27184,22 +37529,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDoNotTrack</NodeName>
-            <DFProperties>
+          <NodeName>AllowDoNotTrack</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27207,21 +37552,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowExtensions</NodeName>
-            <DFProperties>
+          <NodeName>AllowExtensions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can load extensions in Microsoft Edge.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27229,22 +37574,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFlash</NodeName>
-            <DFProperties>
+          <NodeName>AllowFlash</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27252,22 +37597,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFlashClickToRun</NodeName>
-            <DFProperties>
+          <NodeName>AllowFlashClickToRun</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Configure the Adobe Flash Click-to-Run setting.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27275,22 +37620,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInPrivate</NodeName>
-            <DFProperties>
+          <NodeName>AllowInPrivate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can browse using InPrivate website browsing.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27298,25 +37643,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowMicrosoftCompatibilityList</NodeName>
-            <DFProperties>
+          <NodeName>AllowMicrosoftCompatibilityList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
 
-If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
+If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
 
 If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27324,21 +37669,21 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPasswordManager</NodeName>
-            <DFProperties>
+          <NodeName>AllowPasswordManager</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether employees can save their passwords locally, using Password Manager.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27346,21 +37691,21 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPopups</NodeName>
-            <DFProperties>
+          <NodeName>AllowPopups</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27368,22 +37713,22 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSearchEngineCustomization</NodeName>
-            <DFProperties>
+          <NodeName>AllowSearchEngineCustomization</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
 
@@ -27396,21 +37741,21 @@ This policy will only apply on domain joined machines or when the device is MDM
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSearchSuggestionsinAddressBar</NodeName>
-            <DFProperties>
+          <NodeName>AllowSearchSuggestionsinAddressBar</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27418,21 +37763,21 @@ This policy will only apply on domain joined machines or when the device is MDM
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSmartScreen</NodeName>
-            <DFProperties>
+          <NodeName>AllowSmartScreen</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you decide whether to turn on Windows Defender SmartScreen.</Description>
             <DefaultValue>1</DefaultValue>
@@ -27440,21 +37785,21 @@ This policy will only apply on domain joined machines or when the device is MDM
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ClearBrowsingDataOnExit</NodeName>
-            <DFProperties>
+          <NodeName>ClearBrowsingDataOnExit</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether to always clear browsing history on exiting Microsoft Edge.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27462,22 +37807,22 @@ This policy will only apply on domain joined machines or when the device is MDM
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ConfigureAdditionalSearchEngines</NodeName>
-            <DFProperties>
+          <NodeName>ConfigureAdditionalSearchEngines</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Allows you to add up to 5 additional search engines for MDM-enrolled devices.
 
@@ -27491,21 +37836,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableLockdownOfStartPages</NodeName>
-            <DFProperties>
+          <NodeName>DisableLockdownOfStartPages</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
 
@@ -27518,22 +37863,22 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseModeSiteList</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseModeSiteList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.</Description>
             <DefaultValue></DefaultValue>
@@ -27541,22 +37886,22 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseSiteListServiceUrl</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseSiteListServiceUrl</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -27564,22 +37909,22 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>FirstRunURL</NodeName>
-            <DFProperties>
+          <NodeName>FirstRunURL</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Configure first run URL.</Description>
             <DefaultValue></DefaultValue>
@@ -27587,50 +37932,50 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HomePages</NodeName>
-            <DFProperties>
+          <NodeName>HomePages</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Configure the Start page URLs for your employees.
 Example:
 If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
 Encapsulate each string with greater than and less than characters like any other XML tag.
 
-Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
+Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.</Description>
             <DefaultValue></DefaultValue>
             <DFFormat>
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventAccessToAboutFlagsInMicrosoftEdge</NodeName>
-            <DFProperties>
+          <NodeName>PreventAccessToAboutFlagsInMicrosoftEdge</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Prevent access to the about:flags page in Microsoft Edge.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27638,21 +37983,21 @@ Version 1703 or later:  If you don't want to send traffic to Microsoft, you ca
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventFirstRunPage</NodeName>
-            <DFProperties>
+          <NodeName>PreventFirstRunPage</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
 
@@ -27662,22 +38007,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventLiveTileDataCollection</NodeName>
-            <DFProperties>
+          <NodeName>PreventLiveTileDataCollection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
 
@@ -27687,34 +38032,32 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
           <NodeName>PreventSmartScreenPromptOverride</NodeName>
           <DFProperties>
             <AccessType>
-              <Add />
-              <Delete />
               <Get />
-              <Replace />
             </AccessType>
             <Description>Don't allow Windows Defender SmartScreen warning overrides</Description>
+            <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
             <Occurrence>
-              <ZeroOrOne />
+              <One />
             </Occurrence>
             <Scope>
-              <Dynamic />
+              <Permanent />
             </Scope>
             <DFType>
               <MIME>text/plain</MIME>
@@ -27725,20 +38068,18 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           <NodeName>PreventSmartScreenPromptOverrideForFiles</NodeName>
           <DFProperties>
             <AccessType>
-              <Add />
-              <Delete />
               <Get />
-              <Replace />
             </AccessType>
             <Description>Don't allow Windows Defender SmartScreen warning overrides for unverified files.</Description>
+            <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
             <Occurrence>
-              <ZeroOrOne />
+              <One />
             </Occurrence>
             <Scope>
-              <Dynamic />
+              <Permanent />
             </Scope>
             <DFType>
               <MIME>text/plain</MIME>
@@ -27746,10 +38087,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
-            <DFProperties>
+          <NodeName>PreventUsingLocalHostIPAddressForWebRTC</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Prevent using localhost IP address for WebRTC</Description>
             <DefaultValue>0</DefaultValue>
@@ -27757,21 +38098,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SendIntranetTraffictoInternetExplorer</NodeName>
-            <DFProperties>
+          <NodeName>SendIntranetTraffictoInternetExplorer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Sends all intranet traffic over to Internet Explorer.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27779,22 +38120,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetDefaultSearchEngine</NodeName>
-            <DFProperties>
+          <NodeName>SetDefaultSearchEngine</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
 
@@ -27808,21 +38149,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ShowMessageWhenOpeningSitesInInternetExplorer</NodeName>
-            <DFProperties>
+          <NodeName>ShowMessageWhenOpeningSitesInInternetExplorer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Show message when opening sites in Internet Explorer</Description>
             <DefaultValue>0</DefaultValue>
@@ -27830,22 +38171,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SyncFavoritesBetweenIEAndMicrosoftEdge</NodeName>
-            <DFProperties>
+          <NodeName>SyncFavoritesBetweenIEAndMicrosoftEdge</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.</Description>
             <DefaultValue>0</DefaultValue>
@@ -27853,16 +38194,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -27885,10 +38226,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowCamera</NodeName>
-            <DFProperties>
+          <NodeName>AllowCamera</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -27896,15 +38237,60 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>Cellular</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>ShowAppCellularAccessUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~UISettings_Category</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>ShowAppCellularAccessUI</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -27927,10 +38313,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowBluetooth</NodeName>
-            <DFProperties>
+          <NodeName>AllowBluetooth</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>2</DefaultValue>
@@ -27938,21 +38324,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCellularData</NodeName>
-            <DFProperties>
+          <NodeName>AllowCellularData</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -27960,21 +38346,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCellularDataRoaming</NodeName>
-            <DFProperties>
+          <NodeName>AllowCellularDataRoaming</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -27982,21 +38368,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowConnectedDevices</NodeName>
-            <DFProperties>
+          <NodeName>AllowConnectedDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28004,21 +38390,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowNFC</NodeName>
-            <DFProperties>
+          <NodeName>AllowNFC</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28026,22 +38412,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUSBConnection</NodeName>
-            <DFProperties>
+          <NodeName>AllowUSBConnection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28049,22 +38435,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowVPNOverCellular</NodeName>
-            <DFProperties>
+          <NodeName>AllowVPNOverCellular</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28072,21 +38458,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowVPNRoamingOverCellular</NodeName>
-            <DFProperties>
+          <NodeName>AllowVPNRoamingOverCellular</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28094,43 +38480,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisallowNetworkConnectivityActiveTests</NodeName>
-            <DFProperties>
+          <NodeName>DiablePrintingOverHTTP</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>HardenedUNCPaths</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28138,19 +38502,145 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableHTTPPrinting_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableDownloadingOfPrintDriversOverHTTP</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableWebPnPDownload_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>ICM.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>ICM~AT~System~InternetManagement~InternetManagement_Settings</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>ShellPreventWPWDownload_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowNetworkConnectivityActiveTests</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HardenedUNCPaths</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>networkprovider.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>NetworkProvider~AT~Network~Cat_NetworkProvider</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Pol_HardenedPaths</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProhibitInstallationAndConfigurationOfNetworkBridge</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>NetworkConnections.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>NetworkConnections~AT~Network~NetworkConnections</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NC_AllowNetBridge_NLA</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28173,10 +38663,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowPINLogon</NodeName>
-            <DFProperties>
+          <NodeName>AllowPINLogon</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28184,25 +38674,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>credentialproviders.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredentialProviders~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowDomainPINLogon</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>BlockPicturePassword</NodeName>
-            <DFProperties>
+          <NodeName>BlockPicturePassword</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28210,19 +38700,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>credentialproviders.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredentialProviders~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>BlockDomainPicturePassword</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28245,10 +38735,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisablePasswordReveal</NodeName>
-            <DFProperties>
+          <NodeName>DisablePasswordReveal</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28256,25 +38746,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisablePasswordReveal</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnumerateAdministrators</NodeName>
-            <DFProperties>
+          <NodeName>EnumerateAdministrators</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28282,19 +38772,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>credui.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>CredUI~AT~WindowsComponents~CredUI</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnumerateAdministrators</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28317,10 +38807,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowFipsAlgorithmPolicy</NodeName>
-            <DFProperties>
+          <NodeName>AllowFipsAlgorithmPolicy</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28328,21 +38818,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TLSCipherSuites</NodeName>
-            <DFProperties>
+          <NodeName>TLSCipherSuites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28350,15 +38840,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28381,10 +38871,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowDirectMemoryAccess</NodeName>
-            <DFProperties>
+          <NodeName>AllowDirectMemoryAccess</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28392,21 +38882,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LegacySelectiveWipeID</NodeName>
-            <DFProperties>
+          <NodeName>LegacySelectiveWipeID</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28414,15 +38904,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28445,10 +38935,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>SetCost3G</NodeName>
-            <DFProperties>
+          <NodeName>SetCost3G</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28456,24 +38946,24 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SetCost3G</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetCost4G</NodeName>
-            <DFProperties>
+          <NodeName>SetCost4G</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -28481,18 +38971,18 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:ADMXBacked>wwansvc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SetCost4G</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -28515,10 +39005,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowArchiveScanning</NodeName>
-            <DFProperties>
+          <NodeName>AllowArchiveScanning</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28526,22 +39016,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowBehaviorMonitoring</NodeName>
-            <DFProperties>
+          <NodeName>AllowBehaviorMonitoring</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28549,22 +39039,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCloudProtection</NodeName>
-            <DFProperties>
+          <NodeName>AllowCloudProtection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28572,22 +39062,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEmailScanning</NodeName>
-            <DFProperties>
+          <NodeName>AllowEmailScanning</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28595,22 +39085,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFullScanOnMappedNetworkDrives</NodeName>
-            <DFProperties>
+          <NodeName>AllowFullScanOnMappedNetworkDrives</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28618,22 +39108,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFullScanRemovableDriveScanning</NodeName>
-            <DFProperties>
+          <NodeName>AllowFullScanRemovableDriveScanning</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28641,22 +39131,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowIntrusionPreventionSystem</NodeName>
-            <DFProperties>
+          <NodeName>AllowIntrusionPreventionSystem</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28664,22 +39154,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowIOAVProtection</NodeName>
-            <DFProperties>
+          <NodeName>AllowIOAVProtection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28687,22 +39177,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowOnAccessProtection</NodeName>
-            <DFProperties>
+          <NodeName>AllowOnAccessProtection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28710,22 +39200,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRealtimeMonitoring</NodeName>
-            <DFProperties>
+          <NodeName>AllowRealtimeMonitoring</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28733,22 +39223,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowScanningNetworkFiles</NodeName>
-            <DFProperties>
+          <NodeName>AllowScanningNetworkFiles</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28756,22 +39246,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowScriptScanning</NodeName>
-            <DFProperties>
+          <NodeName>AllowScriptScanning</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28779,22 +39269,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUserUIAccess</NodeName>
-            <DFProperties>
+          <NodeName>AllowUserUIAccess</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28802,22 +39292,68 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AvgCPULoadFactor</NodeName>
-            <DFProperties>
+          <NodeName>AttackSurfaceReductionOnlyExclusions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AttackSurfaceReductionRules</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AvgCPULoadFactor</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>50</DefaultValue>
@@ -28825,22 +39361,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DaysToRetainCleanedMalware</NodeName>
-            <DFProperties>
+          <NodeName>CloudBlockLevel</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28848,91 +39384,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ExcludedExtensions</NodeName>
-            <DFProperties>
+          <NodeName>CloudExtendedTimeout</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>ExcludedPaths</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>ExcludedProcesses</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PUAProtection</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28940,22 +39407,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RealTimeScanDirection</NodeName>
-            <DFProperties>
+          <NodeName>DaysToRetainCleanedMalware</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -28963,22 +39430,229 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScanParameter</NodeName>
-            <DFProperties>
+          <NodeName>EnableGuardMyFolders</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableNetworkProtection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ExcludedExtensions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ExcludedPaths</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ExcludedProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>GuardedFoldersAllowedApplications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>GuardedFoldersList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PUAProtection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RealTimeScanDirection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScanParameter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -28986,22 +39660,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScheduleQuickScanTime</NodeName>
-            <DFProperties>
+          <NodeName>ScheduleQuickScanTime</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>120</DefaultValue>
@@ -29009,22 +39683,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScheduleScanDay</NodeName>
-            <DFProperties>
+          <NodeName>ScheduleScanDay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29032,22 +39706,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScheduleScanTime</NodeName>
-            <DFProperties>
+          <NodeName>ScheduleScanTime</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>120</DefaultValue>
@@ -29055,22 +39729,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SignatureUpdateInterval</NodeName>
-            <DFProperties>
+          <NodeName>SignatureUpdateInterval</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>8</DefaultValue>
@@ -29078,22 +39752,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SubmitSamplesConsent</NodeName>
-            <DFProperties>
+          <NodeName>SubmitSamplesConsent</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -29101,22 +39775,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ThreatSeverityDefaultAction</NodeName>
-            <DFProperties>
+          <NodeName>ThreatSeverityDefaultAction</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29124,16 +39798,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -29156,10 +39830,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DOAbsoluteMaxCacheSize</NodeName>
-            <DFProperties>
+          <NodeName>DOAbsoluteMaxCacheSize</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>10</DefaultValue>
@@ -29167,22 +39841,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOAllowVPNPeerCaching</NodeName>
-            <DFProperties>
+          <NodeName>DOAllowVPNPeerCaching</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29190,22 +39864,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DODownloadMode</NodeName>
-            <DFProperties>
+          <NodeName>DODownloadMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -29213,22 +39887,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOGroupId</NodeName>
-            <DFProperties>
+          <NodeName>DOGroupId</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29236,22 +39910,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMaxCacheAge</NodeName>
-            <DFProperties>
+          <NodeName>DOMaxCacheAge</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>259200</DefaultValue>
@@ -29259,22 +39933,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMaxCacheSize</NodeName>
-            <DFProperties>
+          <NodeName>DOMaxCacheSize</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>20</DefaultValue>
@@ -29282,22 +39956,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMaxDownloadBandwidth</NodeName>
-            <DFProperties>
+          <NodeName>DOMaxDownloadBandwidth</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29305,22 +39979,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMaxUploadBandwidth</NodeName>
-            <DFProperties>
+          <NodeName>DOMaxUploadBandwidth</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29328,22 +40002,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMinBackgroundQos</NodeName>
-            <DFProperties>
+          <NodeName>DOMinBackgroundQos</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>500</DefaultValue>
@@ -29351,22 +40025,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMinBatteryPercentageAllowedToUpload</NodeName>
-            <DFProperties>
+          <NodeName>DOMinBatteryPercentageAllowedToUpload</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29374,22 +40048,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMinDiskSizeAllowedToPeer</NodeName>
-            <DFProperties>
+          <NodeName>DOMinDiskSizeAllowedToPeer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>32</DefaultValue>
@@ -29397,22 +40071,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMinFileSizeToCache</NodeName>
-            <DFProperties>
+          <NodeName>DOMinFileSizeToCache</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>100</DefaultValue>
@@ -29420,22 +40094,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMinRAMAllowedToPeer</NodeName>
-            <DFProperties>
+          <NodeName>DOMinRAMAllowedToPeer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>4</DefaultValue>
@@ -29443,22 +40117,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOModifyCacheDrive</NodeName>
-            <DFProperties>
+          <NodeName>DOModifyCacheDrive</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>%SystemDrive%</DefaultValue>
@@ -29466,22 +40140,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOMonthlyUploadDataCap</NodeName>
-            <DFProperties>
+          <NodeName>DOMonthlyUploadDataCap</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>20</DefaultValue>
@@ -29489,22 +40163,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DOPercentageMaxDownloadBandwidth</NodeName>
-            <DFProperties>
+          <NodeName>DOPercentageMaxDownloadBandwidth</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29512,16 +40186,105 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>DeviceGuard</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>EnableVirtualizationBasedSecurity</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Turns On Virtualization Based Security(VBS)</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LsaCfgFlags</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequirePlatformSecurityFeatures</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -29544,10 +40307,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>PreventInstallationOfMatchingDeviceIDs</NodeName>
-            <DFProperties>
+          <NodeName>PreventInstallationOfMatchingDeviceIDs</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29555,25 +40318,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>deviceinstallation.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DeviceInstall_IDs_Deny</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventInstallationOfMatchingDeviceSetupClasses</NodeName>
-            <DFProperties>
+          <NodeName>PreventInstallationOfMatchingDeviceSetupClasses</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29581,19 +40344,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>deviceinstallation.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DeviceInstall_Classes_Deny</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -29616,10 +40379,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowIdleReturnWithoutPassword</NodeName>
-            <DFProperties>
+          <NodeName>AllowIdleReturnWithoutPassword</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether the user must input a PIN or password when the device resumes from an idle state.</Description>
             <DefaultValue>1</DefaultValue>
@@ -29627,22 +40390,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowScreenTimeoutWhileLockedUserConfig</NodeName>
-            <DFProperties>
+          <NodeName>AllowScreenTimeoutWhileLockedUserConfig</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.</Description>
             <DefaultValue>0</DefaultValue>
@@ -29650,21 +40413,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSimpleDevicePassword</NodeName>
-            <DFProperties>
+          <NodeName>AllowSimpleDevicePassword</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.</Description>
             <DefaultValue>1</DefaultValue>
@@ -29672,21 +40435,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AlphanumericDevicePasswordRequired</NodeName>
-            <DFProperties>
+          <NodeName>AlphanumericDevicePasswordRequired</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0</Description>
             <DefaultValue>2</DefaultValue>
@@ -29694,21 +40457,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DevicePasswordEnabled</NodeName>
-            <DFProperties>
+          <NodeName>DevicePasswordEnabled</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether device lock is enabled.</Description>
             <DefaultValue>1</DefaultValue>
@@ -29716,21 +40479,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DevicePasswordExpiration</NodeName>
-            <DFProperties>
+          <NodeName>DevicePasswordExpiration</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies when the password expires (in days).</Description>
             <DefaultValue>0</DefaultValue>
@@ -29738,43 +40501,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DevicePasswordHistory</NodeName>
-            <DFProperties>
+          <NodeName>DevicePasswordHistory</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
-            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
+            <Description>Specifies how many passwords can be stored in the history that can’t be used.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnforceLockScreenAndLogonImage</NodeName>
-            <DFProperties>
+          <NodeName>EnforceLockScreenAndLogonImage</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29782,22 +40545,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnforceLockScreenProvider</NodeName>
-            <DFProperties>
+          <NodeName>EnforceLockScreenProvider</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29805,21 +40568,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MaxDevicePasswordFailedAttempts</NodeName>
-            <DFProperties>
+          <NodeName>MaxDevicePasswordFailedAttempts</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -29827,21 +40590,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MaxInactivityTimeDeviceLock</NodeName>
-            <DFProperties>
+          <NodeName>MaxInactivityTimeDeviceLock</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.</Description>
             <DefaultValue>0</DefaultValue>
@@ -29849,21 +40612,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MaxInactivityTimeDeviceLockWithExternalDisplay</NodeName>
-            <DFProperties>
+          <NodeName>MaxInactivityTimeDeviceLockWithExternalDisplay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Sets the maximum timeout value for the external display.</Description>
             <DefaultValue>0</DefaultValue>
@@ -29871,22 +40634,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MinDevicePasswordComplexCharacters</NodeName>
-            <DFProperties>
+          <NodeName>MinDevicePasswordComplexCharacters</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.</Description>
             <DefaultValue>1</DefaultValue>
@@ -29894,21 +40657,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>MinDevicePasswordLength</NodeName>
-            <DFProperties>
+          <NodeName>MinDevicePasswordLength</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies the minimum number or characters required in the PIN or password.</Description>
             <DefaultValue>4</DefaultValue>
@@ -29916,21 +40679,48 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventLockScreenSlideShow</NodeName>
-            <DFProperties>
+          <NodeName>MinimumPasswordAge</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
+
+The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
+
+Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventLockScreenSlideShow</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -29938,25 +40728,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ControlPanelDisplay.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ControlPanelDisplay~AT~ControlPanel~Personalization</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CPL_Personalization_NoLockScreenSlideshow</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScreenTimeoutWhileLocked</NodeName>
-            <DFProperties>
+          <NodeName>ScreenTimeoutWhileLocked</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.</Description>
             <DefaultValue>10</DefaultValue>
@@ -29964,15 +40754,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -29995,10 +40785,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>TurnOffGdiDPIScalingForApps</NodeName>
-            <DFProperties>
+          <NodeName>TurnOffGdiDPIScalingForApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.</Description>
             <DefaultValue></DefaultValue>
@@ -30006,22 +40796,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TurnOnGdiDPIScalingForApps</NodeName>
-            <DFProperties>
+          <NodeName>TurnOnGdiDPIScalingForApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.</Description>
             <DefaultValue></DefaultValue>
@@ -30029,16 +40819,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -30061,10 +40851,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>CustomizeConsentSettings</NodeName>
-            <DFProperties>
+          <NodeName>CustomizeConsentSettings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30072,25 +40862,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerConsentCustomize_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableWindowsErrorReporting</NodeName>
-            <DFProperties>
+          <NodeName>DisableWindowsErrorReporting</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30098,25 +40888,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerDisable_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisplayErrorNotification</NodeName>
-            <DFProperties>
+          <NodeName>DisplayErrorNotification</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30124,25 +40914,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PCH_ShowUI</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotSendAdditionalData</NodeName>
-            <DFProperties>
+          <NodeName>DoNotSendAdditionalData</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30150,25 +40940,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerNoSecondLevelData_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventCriticalErrorDisplay</NodeName>
-            <DFProperties>
+          <NodeName>PreventCriticalErrorDisplay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30176,19 +40966,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>ErrorReporting.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>WerDoNotShowUI</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -30211,10 +41001,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>ControlEventLogBehavior</NodeName>
-            <DFProperties>
+          <NodeName>ControlEventLogBehavior</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30222,25 +41012,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_Log_Retention_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SpecifyMaximumFileSizeApplicationLog</NodeName>
-            <DFProperties>
+          <NodeName>SpecifyMaximumFileSizeApplicationLog</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30248,25 +41038,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SpecifyMaximumFileSizeSecurityLog</NodeName>
-            <DFProperties>
+          <NodeName>SpecifyMaximumFileSizeSecurityLog</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30274,25 +41064,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SpecifyMaximumFileSizeSystemLog</NodeName>
-            <DFProperties>
+          <NodeName>SpecifyMaximumFileSizeSystemLog</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30300,19 +41090,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>eventlog.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Channel_LogMaxSize_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -30335,10 +41125,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowCopyPaste</NodeName>
-            <DFProperties>
+          <NodeName>AllowCopyPaste</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30346,22 +41136,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowCortana</NodeName>
-            <DFProperties>
+          <NodeName>AllowCortana</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30369,21 +41159,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDeviceDiscovery</NodeName>
-            <DFProperties>
+          <NodeName>AllowDeviceDiscovery</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30391,21 +41181,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFindMyDevice</NodeName>
-            <DFProperties>
+          <NodeName>AllowFindMyDevice</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30413,21 +41203,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowManualMDMUnenrollment</NodeName>
-            <DFProperties>
+          <NodeName>AllowManualMDMUnenrollment</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30435,21 +41225,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSaveAsOfOfficeFiles</NodeName>
-            <DFProperties>
+          <NodeName>AllowSaveAsOfOfficeFiles</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30457,21 +41247,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowScreenCapture</NodeName>
-            <DFProperties>
+          <NodeName>AllowScreenCapture</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30479,21 +41269,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSharingOfOfficeFiles</NodeName>
-            <DFProperties>
+          <NodeName>AllowSharingOfOfficeFiles</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30501,21 +41291,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSIMErrorDialogPromptWhenNoSIM</NodeName>
-            <DFProperties>
+          <NodeName>AllowSIMErrorDialogPromptWhenNoSIM</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30523,21 +41313,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSyncMySettings</NodeName>
-            <DFProperties>
+          <NodeName>AllowSyncMySettings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30545,21 +41335,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowTaskSwitcher</NodeName>
-            <DFProperties>
+          <NodeName>AllowTaskSwitcher</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30567,22 +41357,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowVoiceRecording</NodeName>
-            <DFProperties>
+          <NodeName>AllowVoiceRecording</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30590,22 +41380,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsTips</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsTips</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -30613,22 +41403,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotShowFeedbackNotifications</NodeName>
-            <DFProperties>
+          <NodeName>DoNotShowFeedbackNotifications</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -30636,15 +41426,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -30667,10 +41457,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAdvancedGamingServices</NodeName>
-            <DFProperties>
+          <NodeName>AllowAdvancedGamingServices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.</Description>
             <DefaultValue>1</DefaultValue>
@@ -30678,15 +41468,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -30709,10 +41499,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AddSearchProvider</NodeName>
-            <DFProperties>
+          <NodeName>AddSearchProvider</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30720,25 +41510,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowActiveXFiltering</NodeName>
-            <DFProperties>
+          <NodeName>AllowActiveXFiltering</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30746,25 +41536,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TurnOnActiveXFiltering</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowAddOnList</NodeName>
-            <DFProperties>
+          <NodeName>AllowAddOnList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30772,25 +41562,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AddonManagement_AddOnList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnhancedProtectedMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowCertificateAddressMismatchWarning</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30798,25 +41588,77 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWarnCertMismatch</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowDeletingBrowsingHistoryOnExit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DBHDisableDeleteOnExit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnterpriseModeFromToolsMenu</NodeName>
-            <DFProperties>
+          <NodeName>AllowEnterpriseModeFromToolsMenu</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30824,25 +41666,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeEnable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEnterpriseModeSiteList</NodeName>
-            <DFProperties>
+          <NodeName>AllowEnterpriseModeSiteList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30850,25 +41692,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnterpriseModeSiteList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetExplorer7PolicyList </NodeName>
-            <DFProperties>
+          <NodeName>AllowFallbackToSSL3</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30876,25 +41718,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_EnableSSL3Fallback</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowInternetExplorer7PolicyList </NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_UsePolicyList</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetExplorerStandardsMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetExplorerStandardsMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30902,25 +41770,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>CompatView_IntranetSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30928,25 +41796,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowIntranetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowIntranetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30954,25 +41822,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLocalMachineZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLocalMachineZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -30980,25 +41848,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownInternetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownInternetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31006,25 +41874,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyInternetZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownIntranetZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownIntranetZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31032,25 +41900,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyIntranetZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownLocalMachineZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownLocalMachineZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31058,25 +41926,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyLocalMachineZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLockedDownRestrictedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowLockedDownRestrictedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31084,25 +41952,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowOneWordEntry</NodeName>
-            <DFProperties>
+          <NodeName>AllowOneWordEntry</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31110,25 +41978,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>UseIntranetSiteForOneWordEntry</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSiteToZoneAssignmentList</NodeName>
-            <DFProperties>
+          <NodeName>AllowSiteToZoneAssignmentList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31136,25 +42004,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Zonemaps</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowsLockedDownTrustedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowsLockedDownTrustedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31162,25 +42030,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneLockdownTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowSoftwareWhenSignatureIsInvalid</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31188,25 +42056,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_InvalidSignatureBlock</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowsRestrictedSitesZoneTemplate</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyRestrictedSitesZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSuggestedSites</NodeName>
-            <DFProperties>
+          <NodeName>AllowSuggestedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31214,25 +42108,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableSuggestedSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowTrustedSitesZoneTemplate</NodeName>
-            <DFProperties>
+          <NodeName>AllowTrustedSitesZoneTemplate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31240,25 +42134,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyTrustedSitesZoneTemplate</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableAdobeFlash</NodeName>
-            <DFProperties>
+          <NodeName>CheckServerCertificateRevocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31266,25 +42160,103 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_CertificateRevocation</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CheckSignaturesOnDownloadedPrograms</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DownloadSignatures</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ConsistentMimeHandlingInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableAdobeFlash</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableFlashInIE</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
-            <DFProperties>
+          <NodeName>DisableBlockingOfOutdatedActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31292,357 +42264,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableBypassOfSmartScreenWarningsAboutUncommonFiles</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableEnclosureDownloading</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableEncryptionSupport</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableFirstRunWizard</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableFlipAheadFeature</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableProxyChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableSearchProviderChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableSecondaryHomePageChange</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DisableUpdateCheck</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>NoUpdateCheck</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DoNotAllowUsersToAddSites</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Security_zones_map_edit</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DoNotAllowUsersToChangePolicies</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
-            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
-            <MSFT:ADMXPolicyName>Security_options_edit</MSFT:ADMXPolicyName>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>DoNotBlockOutdatedActiveXControls</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotBlockOutdatedActiveXControlsOnSpecificDomains</NodeName>
-            <DFProperties>
+          <NodeName>DisableBypassOfSmartScreenWarnings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31650,25 +42290,589 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableBypassOfSmartScreenWarningsAboutUncommonFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableConfiguringHistory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>RestrictHistory</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCrashDetection</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableCustomerExperienceImprovementProgramParticipation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>SQM_DisableCEIP</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableDeletingUserVisitedWebsites </NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DBHDisableDeleteHistory</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEnclosureDownloading</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~RSS_Feeds</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Downloading_of_Enclosures</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEncryptionSupport</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_SetWinInetProtocols</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFirstRunWizard</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoFirstRunCustomise</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFlipAheadFeature</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DisableFlipAhead</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableIgnoringCertificateErrors</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoCertError</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableInPrivateBrowsing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableInPrivateBrowsing</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProcessesInEnhancedProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_EnableEnhancedProtectedMode64Bit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableProxyChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSearchProviderChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoSearchProvider</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSecondaryHomePageChange</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>SecondaryHomePages</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableSecuritySettingsCheck</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Disable_Security_Settings_Check</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableUpdateCheck</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>NoUpdateCheck</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotAllowActiveXControlsInProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Advanced_DisableEPMCompat</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotAllowUsersToAddSites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Security_zones_map_edit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotAllowUsersToChangePolicies</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Security_options_edit</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotBlockOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VerMgmtDisable</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DoNotBlockOutdatedActiveXControlsOnSpecificDomains</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>VerMgmtDomainAllowlist</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IncludeAllLocalSites</NodeName>
-            <DFProperties>
+          <NodeName>IncludeAllLocalSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31676,25 +42880,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_IncludeUnspecifiedLocalSites</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IncludeAllNetworkPaths</NodeName>
-            <DFProperties>
+          <NodeName>IncludeAllNetworkPaths</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31702,25 +42906,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_UNCAsIntranet</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31728,25 +42932,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31754,25 +42958,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31780,25 +42984,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31806,25 +43010,77 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31832,25 +43088,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowLoadingOfXAMLFilesWRONG</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31858,25 +43114,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_XAML_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31884,25 +43166,129 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_LocalMachine</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowScriptlets</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31910,25 +43296,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31936,25 +43322,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31962,25 +43374,285 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableCrossSiteScriptingFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_LocalMachine</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneEnableProtectedMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -31988,25 +43660,155 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneJavaPermissionsWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLogon_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32014,25 +43816,155 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneUsePopupBlocker</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>IntranetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32040,25 +43972,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32066,25 +43998,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32092,25 +44024,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32118,25 +44050,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32144,25 +44076,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32170,25 +44102,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32196,25 +44128,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32222,25 +44154,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32248,25 +44180,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>IntranetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32274,25 +44206,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_3</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32300,25 +44232,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32326,25 +44258,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32352,25 +44284,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32378,25 +44310,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32404,25 +44336,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32430,25 +44362,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32456,25 +44388,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32482,25 +44414,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32508,25 +44440,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32534,25 +44466,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32560,25 +44518,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LocalMachineZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_9</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32586,25 +44570,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32612,25 +44596,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32638,25 +44622,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32664,25 +44648,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32690,25 +44674,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32716,25 +44700,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32742,25 +44726,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32768,25 +44752,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32794,25 +44778,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32820,25 +44804,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownInternetZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32846,25 +44830,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownInternetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32872,25 +44882,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32898,25 +44908,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32924,25 +44934,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32950,25 +44960,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -32976,25 +44986,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33002,25 +45012,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33028,25 +45038,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33054,25 +45064,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33080,25 +45090,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33106,25 +45116,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownIntranetZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownIntranetZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33132,25 +45142,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_4</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33158,25 +45168,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33184,25 +45194,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33210,25 +45220,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33236,25 +45246,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33262,25 +45272,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33288,25 +45298,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33314,25 +45324,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33340,25 +45350,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33366,25 +45376,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33392,25 +45402,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownLocalMachineZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33418,25 +45428,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_10</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownLocalMachineZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_10</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33444,25 +45480,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33470,25 +45506,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33496,25 +45532,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33522,25 +45558,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33548,25 +45584,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33574,25 +45610,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33600,25 +45636,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33626,25 +45662,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33652,25 +45688,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33678,25 +45714,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownRestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33704,25 +45740,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_8</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_8</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33730,25 +45792,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33756,25 +45818,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33782,25 +45844,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33808,25 +45870,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33834,25 +45896,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33860,25 +45922,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33886,25 +45948,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33912,25 +45974,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33938,25 +46000,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33964,25 +46026,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>LockedDownTrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -33990,25 +46052,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LockedDownTrustedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_6</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>MimeSniffingSafetyFeatureInternetExplorerProcesses</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34016,25 +46104,233 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MKProtocolSecurityRestrictionInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_3</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NotificationBarInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyExplorerProcesses_10</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventManagingSmartScreenFilter</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PreventPerUserInstallationOfActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisablePerUserActiveXInstall</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ProtectionFromZoneElevationInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_9</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RemoveRunThisTimeButtonForOutdatedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VerMgmtDisableRunThisTime</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictActiveXInstallInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_11</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowActiveScripting</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34042,25 +46338,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyActiveScripting_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34068,25 +46390,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowBinaryAndScriptBehaviors</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34094,25 +46416,129 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBinaryBehaviors_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowCopyPasteViaScript</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowPasteViaScript_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDropOrPasteFiles_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFileDownloads</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFileDownload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowFontDownloadsWRONG2</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34120,25 +46546,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowLoadingOfXAMLFiles</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34146,25 +46598,77 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_XAML_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowMETAREFRESH</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowMETAREFRESH_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34172,25 +46676,129 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAllowTDCControl_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_WebBrowserControl_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptInitiatedWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyWindowsRestrictionsURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34198,25 +46806,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34224,25 +46832,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_ScriptStatusBar_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34250,25 +46884,207 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadSignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadSignedActiveX_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneDownloadUnsignedActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDownloadUnsignedActiveX_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneEnableMIMESniffing</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyMimeSniffingURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_LocalPathForUpload_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34276,25 +47092,103 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLaunchAppsAndFilesInIFRAME_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneLogonOptions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyLogon_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SearchProviderList</NodeName>
-            <DFProperties>
+          <NodeName>RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34302,25 +47196,311 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunActiveXControlsAndPlugins</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyRunActiveXControls_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicySignedFrameworkComponentsURLaction_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXMarkedSafe_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptingOfJavaApplets_6</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_UnsafeFiles_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG3</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyTurnOnXSSFilter_Both_Restricted</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG4</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_Policy_TurnOnProtectedMode_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictedSitesZoneWRONG5</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyBlockPopupWindows_7</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RestrictFileDownloadInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_12</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IESF_PolicyAllProcesses_8</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SearchProviderList</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SpecificSearchProvider</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
-            <DFProperties>
+          <NodeName>SecurityZonesUseOnlyMachineSettings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34328,25 +47508,77 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>Security_HKLM_only</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyUseOfActiveXInstallerService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>OnlyUseAXISForActiveXInstall</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneAllowAccessToDataSources</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyAccessDataSourcesAcrossDomains_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34354,25 +47586,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarActiveXURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34380,25 +47612,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNotificationBarDownloadURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowFontDownloads</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowFontDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34406,25 +47638,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyFontDownload_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowLessPrivilegedSites</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowLessPrivilegedSites</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34432,25 +47664,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyZoneElevationURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowNETFrameworkReliantComponents</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34458,25 +47690,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUnsignedFrameworkComponentsURLaction_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowScriptlets</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowScriptlets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34484,25 +47716,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_AllowScriptlets_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowSmartScreenIE</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowSmartScreenIE</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34510,25 +47742,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_Policy_Phishing_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneAllowUserDataPersistence</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneAllowUserDataPersistence</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34536,25 +47768,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyUserdataPersistence_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneInitializeAndScriptActiveXControls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34562,25 +47794,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
-            <DFProperties>
+          <NodeName>TrustedSitesZoneJavaPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34588,19 +47820,97 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyJavaPermissions_5</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneNavigateWindowsAndFrames</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>IZ_PolicyNavigateSubframesAcrossDomains_5</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG1</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyAntiMalwareCheckingOfActiveXControls_5</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedSitesZoneWRONG2</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>inetres.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IZ_PolicyScriptActiveXNotMarkedSafe_5</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34623,10 +47933,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowForestSearchOrder</NodeName>
-            <DFProperties>
+          <NodeName>AllowForestSearchOrder</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34634,25 +47944,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ForestSearch</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>KerberosClientSupportsClaimsCompoundArmor</NodeName>
-            <DFProperties>
+          <NodeName>KerberosClientSupportsClaimsCompoundArmor</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34660,25 +47970,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>EnableCbacAndArmor</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireKerberosArmoring</NodeName>
-            <DFProperties>
+          <NodeName>RequireKerberosArmoring</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34686,25 +47996,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ClientRequireFast</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireStrictKDCValidation</NodeName>
-            <DFProperties>
+          <NodeName>RequireStrictKDCValidation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34712,25 +48022,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ValidateKDC</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetMaximumContextTokenSize</NodeName>
-            <DFProperties>
+          <NodeName>SetMaximumContextTokenSize</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -34738,19 +48048,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Kerberos.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Kerberos~AT~System~kerberos</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>MaxTokenSize</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34773,10 +48083,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowWindowsEntitlementReactivation</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsEntitlementReactivation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -34784,22 +48094,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisallowKMSClientOnlineAVSValidation</NodeName>
-            <DFProperties>
+          <NodeName>DisallowKMSClientOnlineAVSValidation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -34807,16 +48117,876 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>LocalPoliciesSecurityOptions</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Accounts_BlockMicrosoftAccounts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting prevents users from adding new Microsoft accounts on this computer.
+
+If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
+
+If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_EnableAdministratorAccountStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This security setting determines whether the local Administrator account is enabled or disabled.
+
+Notes
+
+If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
+
+Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
+
+Default: Disabled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_EnableGuestAccountStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This security setting determines if the Guest account is enabled or disabled.
+
+Default: Disabled.
+
+Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Accounts: Limit local account use of blank passwords to console logon only
+
+This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
+
+Default: Enabled.
+
+
+Warning:
+
+Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
+If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+
+Notes
+
+This setting does not affect logons that use domain accounts.
+It is possible for applications that use remote interactive logons to bypass this setting.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_RenameAdministratorAccount</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Accounts: Rename administrator account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
+
+Default: Administrator.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Accounts_RenameGuestAccount</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Accounts: Rename guest account
+
+This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
+
+Default: Guest.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive Logon:Display user information when the session is locked
+User display name, domain and user names (1)
+User display name only (2)
+Do not display user information (3)</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotDisplayLastSignedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Don't display last signed-in
+This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotDisplayUsernameAtSignIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Don't display username at sign-in
+This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
+If this policy is enabled, the username will not be shown.
+
+If this policy is disabled, the username will be shown.
+
+Default: Disabled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Interactivelogon_DoNotRequireCTRLALTDEL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Do not require CTRL+ALT+DEL
+
+This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
+
+If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.
+
+If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.
+
+Default on domain-computers: Enabled: At least Windows  8/Disabled: Windows 7 or earlier.
+Default on stand-alone computers: Enabled.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MachineInactivityLimit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Machine inactivity limit.
+
+Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
+
+Default: not enforced.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MessageTextForUsersAttemptingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Message text for users attempting to log on
+
+This security setting specifies a text message that is displayed to users when they log on.
+
+This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
+
+Default: No message.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Interactive logon: Message title for users attempting to log on
+
+This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
+
+Default: No message.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccountsAndShares</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NetworkSecurity_AllowPKU2UAuthenticationRequests</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RecoveryConsole_AllowAutomaticAdministrativeLogon</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Recovery console: Allow automatic administrative logon
+
+This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.
+
+Default: This policy is not defined and automatic administrative logon is not allowed.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Shutdown_ClearVirtualMemoryPageFile</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Shutdown: Clear virtual memory pagefile
+
+This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
+
+Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.
+
+When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
+
+Default: Disabled.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
+
+This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
+
+• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+
+• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
+
+This policy setting controls the behavior of the elevation prompt for administrators.
+
+The options are:
+
+• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
+
+• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+
+• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Behavior of the elevation prompt for standard users
+This policy setting controls the behavior of the elevation prompt for standard users.
+
+The options are:
+
+• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+
+• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
+
+• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Only elevate executable files that are signed and validated
+
+This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
+
+The options are:
+
+• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
+
+• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Only elevate UIAccess applications that are installed in secure locations
+
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
+
+- …\Program Files\, including subfolders
+- …\Windows\system32\
+- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
+
+Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
+
+The options are:
+
+• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
+
+• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_RunAllAdministratorsInAdminApprovalMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Turn on Admin Approval Mode
+
+This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
+
+The options are:
+
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
+
+• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Switch to the secure desktop when prompting for elevation
+
+This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
+
+The options are:
+
+• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
+
+• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_UseAdminApprovalMode</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Use Admin Approval Mode for the built-in Administrator account
+
+This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
+
+The options are:
+
+• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
+
+• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>User Account Control: Virtualize file and registry write failures to per-user locations
+
+This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
+
+The options are:
+
+• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
+
+• Disabled: Applications that write data to protected locations fail.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34839,10 +49009,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>EnableLocation</NodeName>
-            <DFProperties>
+          <NodeName>EnableLocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -34850,15 +49020,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34881,10 +49051,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowEdgeSwipe</NodeName>
-            <DFProperties>
+          <NodeName>AllowEdgeSwipe</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -34892,16 +49062,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34924,10 +49094,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowOfflineMapsDownloadOverMeteredConnection</NodeName>
-            <DFProperties>
+          <NodeName>AllowOfflineMapsDownloadOverMeteredConnection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>65535</DefaultValue>
@@ -34935,21 +49105,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnableOfflineMapsAutoUpdate</NodeName>
-            <DFProperties>
+          <NodeName>EnableOfflineMapsAutoUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>65535</DefaultValue>
@@ -34957,15 +49127,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -34988,10 +49158,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowMessageSync</NodeName>
-            <DFProperties>
+          <NodeName>AllowMessageSync</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -34999,22 +49169,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowMMS</NodeName>
-            <DFProperties>
+          <NodeName>AllowMMS</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -35022,22 +49192,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRCS</NodeName>
-            <DFProperties>
+          <NodeName>AllowRCS</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -35045,16 +49215,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -35077,10 +49247,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>EnterpriseCloudResources</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseCloudResources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35088,21 +49258,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseInternalProxyServers</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseInternalProxyServers</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35110,21 +49280,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseIPRange</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseIPRange</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35132,21 +49302,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseIPRangesAreAuthoritative</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseIPRangesAreAuthoritative</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -35154,21 +49324,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseNetworkDomainNames</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseNetworkDomainNames</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35176,21 +49346,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseProxyServers</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseProxyServers</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35198,21 +49368,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnterpriseProxyServersAreAuthoritative</NodeName>
-            <DFProperties>
+          <NodeName>EnterpriseProxyServersAreAuthoritative</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -35220,21 +49390,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>NeutralResources</NodeName>
-            <DFProperties>
+          <NodeName>NeutralResources</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35242,15 +49412,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -35273,10 +49443,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowStandbyWhenSleepingPluggedIn</NodeName>
-            <DFProperties>
+          <NodeName>AllowStandbyWhenSleepingPluggedIn</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35284,25 +49454,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>AllowStandbyStatesAC_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequirePasswordWhenComputerWakesOnBattery</NodeName>
-            <DFProperties>
+          <NodeName>DisplayOffTimeoutOnBattery</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35310,25 +49480,129 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerVideoSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VideoPowerDownTimeOutDC_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisplayOffTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerVideoSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>VideoPowerDownTimeOutAC_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HibernateTimeoutOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DCHibernateTimeOut_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HibernateTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>ACHibernateTimeOut_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequirePasswordWhenComputerWakesOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DCPromptForPasswordOnResume_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequirePasswordWhenComputerWakesPluggedIn</NodeName>
-            <DFProperties>
+          <NodeName>RequirePasswordWhenComputerWakesPluggedIn</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35336,19 +49610,71 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>ACPromptForPasswordOnResume_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>StandbyTimeoutOnBattery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DCStandbyTimeOut_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>StandbyTimeoutPluggedIn</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>power.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>Power~AT~System~PowerManagementCat~PowerSleepSettingsCat</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>ACStandbyTimeOut_2</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -35371,10 +49697,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>PointAndPrintRestrictions</NodeName>
-            <DFProperties>
+          <NodeName>PointAndPrintRestrictions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35382,25 +49708,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Printing.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing~AT~ControlPanel~CplPrinters</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PointAndPrint_Restrictions_Win7</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PublishPrinters</NodeName>
-            <DFProperties>
+          <NodeName>PublishPrinters</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -35408,19 +49734,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>Printing2.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Printing2~AT~Printers</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>PublishPrinters</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -35443,10 +49769,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAutoAcceptPairingAndPrivacyConsentPrompts</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoAcceptPairingAndPrivacyConsentPrompts</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -35454,22 +49780,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInputPersonalization</NodeName>
-            <DFProperties>
+          <NodeName>AllowInputPersonalization</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -35477,22 +49803,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:StartOSVerison>10.0.10240</MSFT:StartOSVerison>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableAdvertisingId</NodeName>
-            <DFProperties>
+          <NodeName>DisableAdvertisingId</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>65535</DefaultValue>
@@ -35500,21 +49826,43 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessAccountInfo</NodeName>
-            <DFProperties>
+          <NodeName>EnableActivityFeed</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessAccountInfo</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access account information.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35522,21 +49870,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessAccountInfo_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessAccountInfo_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35544,21 +49892,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessAccountInfo_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessAccountInfo_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35566,21 +49914,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessAccountInfo_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessAccountInfo_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35588,21 +49936,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCalendar</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCalendar</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access the calendar.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35610,21 +49958,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCalendar_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCalendar_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35632,21 +49980,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCalendar_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCalendar_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35654,21 +50002,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCalendar_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCalendar_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35676,21 +50024,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCallHistory</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCallHistory</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access call history.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35698,21 +50046,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCallHistory_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCallHistory_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35720,21 +50068,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCallHistory_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCallHistory_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35742,21 +50090,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCallHistory_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCallHistory_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35764,21 +50112,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCamera</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCamera</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access the camera.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35786,21 +50134,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCamera_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCamera_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35808,21 +50156,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCamera_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCamera_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35830,21 +50178,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessCamera_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCamera_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35852,21 +50200,109 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessContacts</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessCellularData</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>This policy setting specifies whether Windows apps can access cellular data.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceAllowTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_ForceDenyTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessCellularData_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data privacy setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.</Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LetAppsAccessContacts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access contacts.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35874,21 +50310,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessContacts_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessContacts_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35896,21 +50332,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessContacts_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessContacts_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35918,21 +50354,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessContacts_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessContacts_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35940,21 +50376,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessEmail</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessEmail</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access email.</Description>
             <DefaultValue>0</DefaultValue>
@@ -35962,21 +50398,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessEmail_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessEmail_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -35984,21 +50420,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessEmail_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessEmail_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36006,21 +50442,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessEmail_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessEmail_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36028,21 +50464,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessLocation</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessLocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access location.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36050,21 +50486,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessLocation_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessLocation_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36072,21 +50508,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessLocation_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessLocation_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36094,21 +50530,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessLocation_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessLocation_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36116,21 +50552,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMessaging</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMessaging</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can read or send messages (text or MMS).</Description>
             <DefaultValue>0</DefaultValue>
@@ -36138,21 +50574,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMessaging_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMessaging_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36160,21 +50596,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMessaging_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMessaging_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36182,21 +50618,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMessaging_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMessaging_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36204,21 +50640,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMicrophone</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMicrophone</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access the microphone.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36226,21 +50662,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMicrophone_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMicrophone_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36248,21 +50684,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMicrophone_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMicrophone_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36270,21 +50706,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMicrophone_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMicrophone_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36292,21 +50728,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMotion</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMotion</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access motion data.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36314,21 +50750,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMotion_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMotion_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36336,21 +50772,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMotion_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMotion_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36358,21 +50794,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessMotion_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessMotion_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36380,21 +50816,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessNotifications</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessNotifications</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access notifications.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36402,21 +50838,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessNotifications_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessNotifications_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36424,21 +50860,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessNotifications_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessNotifications_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36446,21 +50882,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessNotifications_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessNotifications_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36468,21 +50904,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessPhone</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessPhone</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can make phone calls</Description>
             <DefaultValue>0</DefaultValue>
@@ -36490,21 +50926,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessPhone_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessPhone_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36512,21 +50948,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessPhone_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessPhone_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36534,21 +50970,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessPhone_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessPhone_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36556,21 +50992,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessRadios</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessRadios</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps have access to control radios.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36578,21 +51014,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessRadios_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessRadios_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36600,21 +51036,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessRadios_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessRadios_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36622,21 +51058,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessRadios_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessRadios_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36644,21 +51080,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTasks</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTasks</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access tasks.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36666,21 +51102,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTasks_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTasks_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36688,21 +51124,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTasks_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTasks_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36710,21 +51146,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTasks_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTasks_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36732,21 +51168,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTrustedDevices</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTrustedDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can access trusted devices.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36754,21 +51190,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTrustedDevices_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTrustedDevices_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36776,21 +51212,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTrustedDevices_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTrustedDevices_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36798,21 +51234,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsAccessTrustedDevices_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsAccessTrustedDevices_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36820,21 +51256,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsGetDiagnosticInfo</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsGetDiagnosticInfo</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36842,21 +51278,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsGetDiagnosticInfo_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsGetDiagnosticInfo_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36864,21 +51300,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsGetDiagnosticInfo_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsGetDiagnosticInfo_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36886,21 +51322,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsGetDiagnosticInfo_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsGetDiagnosticInfo_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36908,21 +51344,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsRunInBackground</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsRunInBackground</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can run in the background.</Description>
             <DefaultValue>0</DefaultValue>
@@ -36930,21 +51366,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsRunInBackground_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsRunInBackground_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36952,21 +51388,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsRunInBackground_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsRunInBackground_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36974,21 +51410,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsRunInBackground_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsRunInBackground_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.</Description>
             <DefaultValue></DefaultValue>
@@ -36996,21 +51432,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsSyncWithDevices</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsSyncWithDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting specifies whether Windows apps can sync with devices.</Description>
             <DefaultValue>0</DefaultValue>
@@ -37018,21 +51454,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsSyncWithDevices_ForceAllowTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsSyncWithDevices_ForceAllowTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -37040,21 +51476,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsSyncWithDevices_ForceDenyTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsSyncWithDevices_ForceDenyTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -37062,21 +51498,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>LetAppsSyncWithDevices_UserInControlOfTheseApps</NodeName>
-            <DFProperties>
+          <NodeName>LetAppsSyncWithDevices_UserInControlOfTheseApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.</Description>
             <DefaultValue></DefaultValue>
@@ -37084,15 +51520,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PublishUserActivities</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Allows apps/system to publish 'User Activities' into ActivityFeed.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37115,10 +51573,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>CustomizeWarningMessages</NodeName>
-            <DFProperties>
+          <NodeName>CustomizeWarningMessages</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37126,25 +51584,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Options</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SessionLogging</NodeName>
-            <DFProperties>
+          <NodeName>SessionLogging</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37152,25 +51610,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Logging</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SolicitedRemoteAssistance</NodeName>
-            <DFProperties>
+          <NodeName>SolicitedRemoteAssistance</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37178,25 +51636,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Solicit</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>UnsolicitedRemoteAssistance</NodeName>
-            <DFProperties>
+          <NodeName>UnsolicitedRemoteAssistance</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37204,19 +51662,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>remoteassistance.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RemoteAssistance~AT~System~RemoteAssist</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RA_Unsolicit</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37239,10 +51697,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowUsersToConnectRemotely</NodeName>
-            <DFProperties>
+          <NodeName>AllowUsersToConnectRemotely</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37250,25 +51708,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_DISABLE_CONNECTIONS</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ClientConnectionEncryptionLevel</NodeName>
-            <DFProperties>
+          <NodeName>ClientConnectionEncryptionLevel</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37276,25 +51734,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_ENCRYPTION_POLICY</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotAllowDriveRedirection</NodeName>
-            <DFProperties>
+          <NodeName>DoNotAllowDriveRedirection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37302,25 +51760,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_CLIENT_DRIVE_M</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DoNotAllowPasswordSaving</NodeName>
-            <DFProperties>
+          <NodeName>DoNotAllowPasswordSaving</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37328,25 +51786,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_CLIENT_DISABLE_PASSWORD_SAVING_2</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PromptForPasswordUponConnection</NodeName>
-            <DFProperties>
+          <NodeName>PromptForPasswordUponConnection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37354,25 +51812,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_PASSWORD</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireSecureRPCCommunication</NodeName>
-            <DFProperties>
+          <NodeName>RequireSecureRPCCommunication</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37380,19 +51838,429 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>terminalserver.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TS_RPC_ENCRYPTION</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>RemoteManagement</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowBasicAuthentication_Client</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowBasic_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowBasicAuthentication_Service</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowBasic_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCredSSPAuthenticationClient</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowCredSSP_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowCredSSPAuthenticationService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowCredSSP_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowRemoteServerManagement</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowAutoConfig</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowUnencryptedTraffic_Client</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowUnencrypted_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowUnencryptedTraffic_Service</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowUnencrypted_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowDigestAuthentication</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisallowDigest</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowNegotiateAuthenticationClient</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisallowNegotiate_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowNegotiateAuthenticationService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisallowNegotiate_2</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowStoringOfRunAsCredentials</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>DisableRunAs</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyChannelBindingTokenHardeningLevel</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>CBTHardeningLevel_1</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TrustedHosts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>TrustedHosts</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TurnOnCompatibilityHTTPListener</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>HttpCompatibilityListener</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>TurnOnCompatibilityHTTPSListener</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteManagement.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>HttpsCompatibilityListener</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37415,10 +52283,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>RestrictUnauthenticatedRPCClients</NodeName>
-            <DFProperties>
+          <NodeName>RestrictUnauthenticatedRPCClients</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37426,25 +52294,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>rpc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RPC~AT~System~Rpc</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RpcRestrictRemoteClients</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RPCEndpointMapperClientAuthentication</NodeName>
-            <DFProperties>
+          <NodeName>RPCEndpointMapperClientAuthentication</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -37452,19 +52320,221 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>rpc.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>RPC~AT~System~Rpc</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>RpcEnableAuthEpResolution</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>RemoteShell</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>AllowRemoteShellAccess</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>AllowRemoteShellAccess</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>MaxConcurrentUsers</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>MaxConcurrentUsers</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyIdleTimeout</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>IdleTimeout</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxMemory</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>MaxMemoryPerShellMB</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxProcesses</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>MaxProcessesPerShell</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyMaxRemoteShells</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>MaxShellsPerUser</MSFT:ADMXPolicyName>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SpecifyShellTimeout</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+            <MSFT:ADMXBacked>WindowsRemoteShell.admx</MSFT:ADMXBacked>
+            <MSFT:ADMXCategory>WindowsRemoteShell~AT~WindowsComponents~WinRS</MSFT:ADMXCategory>
+            <MSFT:ADMXPolicyName>ShellTimeOut</MSFT:ADMXPolicyName>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37487,10 +52557,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowIndexingEncryptedStoresOrItems</NodeName>
-            <DFProperties>
+          <NodeName>AllowIndexingEncryptedStoresOrItems</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37498,21 +52568,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSearchToUseLocation</NodeName>
-            <DFProperties>
+          <NodeName>AllowSearchToUseLocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37520,21 +52590,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowStoringImagesFromVisionSearch</NodeName>
-            <DFProperties>
+          <NodeName>AllowStoringImagesFromVisionSearch</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37542,21 +52612,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUsingDiacritics</NodeName>
-            <DFProperties>
+          <NodeName>AllowUsingDiacritics</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37564,21 +52634,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsIndexer</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsIndexer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>3</DefaultValue>
@@ -37586,21 +52656,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AlwaysUseAutoLangDetection</NodeName>
-            <DFProperties>
+          <NodeName>AlwaysUseAutoLangDetection</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37608,21 +52678,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableBackoff</NodeName>
-            <DFProperties>
+          <NodeName>DisableBackoff</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37630,21 +52700,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableRemovableDriveIndexing</NodeName>
-            <DFProperties>
+          <NodeName>DisableRemovableDriveIndexing</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37652,21 +52722,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventIndexingLowDiskSpaceMB</NodeName>
-            <DFProperties>
+          <NodeName>PreventIndexingLowDiskSpaceMB</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37674,21 +52744,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventRemoteQueries</NodeName>
-            <DFProperties>
+          <NodeName>PreventRemoteQueries</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37696,21 +52766,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SafeSearchPermissions</NodeName>
-            <DFProperties>
+          <NodeName>SafeSearchPermissions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37718,16 +52788,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37750,10 +52820,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAddProvisioningPackage</NodeName>
-            <DFProperties>
+          <NodeName>AllowAddProvisioningPackage</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37761,21 +52831,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowManualRootCertificateInstallation</NodeName>
-            <DFProperties>
+          <NodeName>AllowManualRootCertificateInstallation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37783,22 +52853,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRemoveProvisioningPackage</NodeName>
-            <DFProperties>
+          <NodeName>AllowRemoveProvisioningPackage</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37806,21 +52876,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AntiTheftMode</NodeName>
-            <DFProperties>
+          <NodeName>AntiTheftMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37828,22 +52898,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</NodeName>
-            <DFProperties>
+          <NodeName>ClearTPMIfNotReady</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37851,21 +52921,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireDeviceEncryption</NodeName>
-            <DFProperties>
+          <NodeName>PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37873,21 +52944,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireProvisioningPackageSignature</NodeName>
-            <DFProperties>
+          <NodeName>RequireDeviceEncryption</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37895,21 +52966,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequireRetrieveHealthCertificateOnBoot</NodeName>
-            <DFProperties>
+          <NodeName>RequireProvisioningPackageSignature</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -37917,15 +52988,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequireRetrieveHealthCertificateOnBoot</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -37948,10 +53041,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAutoPlay</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoPlay</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37959,22 +53052,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDataSense</NodeName>
-            <DFProperties>
+          <NodeName>AllowDataSense</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -37982,21 +53075,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowDateTime</NodeName>
-            <DFProperties>
+          <NodeName>AllowDateTime</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38004,21 +53097,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEditDeviceName</NodeName>
-            <DFProperties>
+          <NodeName>AllowEditDeviceName</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38026,21 +53119,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLanguage</NodeName>
-            <DFProperties>
+          <NodeName>AllowLanguage</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38048,22 +53141,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPowerSleep</NodeName>
-            <DFProperties>
+          <NodeName>AllowPowerSleep</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38071,22 +53164,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowRegion</NodeName>
-            <DFProperties>
+          <NodeName>AllowRegion</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38094,22 +53187,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowSignInOptions</NodeName>
-            <DFProperties>
+          <NodeName>AllowSignInOptions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38117,22 +53210,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowVPN</NodeName>
-            <DFProperties>
+          <NodeName>AllowVPN</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38140,21 +53233,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWorkplace</NodeName>
-            <DFProperties>
+          <NodeName>AllowWorkplace</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38162,22 +53255,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowYourAccount</NodeName>
-            <DFProperties>
+          <NodeName>AllowYourAccount</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38185,21 +53278,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PageVisibilityList</NodeName>
-            <DFProperties>
+          <NodeName>PageVisibilityList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -38207,15 +53300,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -38238,10 +53331,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>EnableAppInstallControl</NodeName>
-            <DFProperties>
+          <NodeName>EnableAppInstallControl</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -38249,22 +53342,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EnableSmartScreenInShell</NodeName>
-            <DFProperties>
+          <NodeName>EnableSmartScreenInShell</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38272,22 +53365,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PreventOverrideForFilesInShell</NodeName>
-            <DFProperties>
+          <NodeName>PreventOverrideForFilesInShell</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -38295,16 +53388,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -38327,10 +53420,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowSpeechModelUpdate</NodeName>
-            <DFProperties>
+          <NodeName>AllowSpeechModelUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -38338,15 +53431,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -38369,10 +53462,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowPinnedFolderDocuments</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderDocuments</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38380,22 +53473,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderDownloads</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderDownloads</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38403,22 +53496,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderFileExplorer</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderFileExplorer</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38426,22 +53519,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderHomeGroup</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderHomeGroup</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38449,22 +53542,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderMusic</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderMusic</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38472,22 +53565,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderNetwork</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderNetwork</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38495,22 +53588,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderPersonalFolder</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderPersonalFolder</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38518,22 +53611,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderPictures</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderPictures</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38541,22 +53634,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderSettings</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderSettings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38564,22 +53657,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowPinnedFolderVideos</NodeName>
-            <DFProperties>
+          <NodeName>AllowPinnedFolderVideos</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.</Description>
             <DefaultValue>65535</DefaultValue>
@@ -38587,22 +53680,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ForceStartSize</NodeName>
-            <DFProperties>
+          <NodeName>ForceStartSize</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -38610,22 +53703,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideAppList</NodeName>
-            <DFProperties>
+          <NodeName>HideAppList</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38633,22 +53726,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideChangeAccountSettings</NodeName>
-            <DFProperties>
+          <NodeName>HideChangeAccountSettings</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38656,21 +53749,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideFrequentlyUsedApps</NodeName>
-            <DFProperties>
+          <NodeName>HideFrequentlyUsedApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38678,22 +53771,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideHibernate</NodeName>
-            <DFProperties>
+          <NodeName>HideHibernate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38701,21 +53794,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideLock</NodeName>
-            <DFProperties>
+          <NodeName>HideLock</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Lock" from appearing in the user tile in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38723,21 +53816,44 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HidePowerButton</NodeName>
-            <DFProperties>
+          <NodeName>HidePeopleBar</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.</Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>HidePowerButton</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides the power button from appearing in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38745,21 +53861,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideRecentJumplists</NodeName>
-            <DFProperties>
+          <NodeName>HideRecentJumplists</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38767,22 +53883,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideRecentlyAddedApps</NodeName>
-            <DFProperties>
+          <NodeName>HideRecentlyAddedApps</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38790,22 +53906,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideRestart</NodeName>
-            <DFProperties>
+          <NodeName>HideRestart</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38813,21 +53929,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideShutDown</NodeName>
-            <DFProperties>
+          <NodeName>HideShutDown</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38835,21 +53951,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideSignOut</NodeName>
-            <DFProperties>
+          <NodeName>HideSignOut</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38857,21 +53973,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideSleep</NodeName>
-            <DFProperties>
+          <NodeName>HideSleep</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Sleep" from appearing in the power button in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38879,21 +53995,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideSwitchAccount</NodeName>
-            <DFProperties>
+          <NodeName>HideSwitchAccount</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38901,21 +54017,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideUserTile</NodeName>
-            <DFProperties>
+          <NodeName>HideUserTile</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>Enabling this policy hides the user tile from appearing in the start menu.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38923,21 +54039,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ImportEdgeAssets</NodeName>
-            <DFProperties>
+          <NodeName>ImportEdgeAssets</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.</Description>
             <DefaultValue></DefaultValue>
@@ -38945,22 +54061,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>NoPinningToTaskbar</NodeName>
-            <DFProperties>
+          <NodeName>NoPinningToTaskbar</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.</Description>
             <DefaultValue>0</DefaultValue>
@@ -38968,22 +54084,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>StartLayout</NodeName>
-            <DFProperties>
+          <NodeName>StartLayout</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -38991,16 +54107,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -39023,10 +54139,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>EnhancedStorageDevices</NodeName>
-            <DFProperties>
+          <NodeName>EnhancedStorageDevices</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -39034,19 +54150,19 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>enhancedstorage.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EnhancedStorage~AT~System~EnStorDeviceAccess</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>TCGSecurityActivationDisabled</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -39069,10 +54185,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowBuildPreview</NodeName>
-            <DFProperties>
+          <NodeName>AllowBuildPreview</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>2</DefaultValue>
@@ -39080,21 +54196,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowEmbeddedMode</NodeName>
-            <DFProperties>
+          <NodeName>AllowEmbeddedMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39102,21 +54218,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowExperimentation</NodeName>
-            <DFProperties>
+          <NodeName>AllowExperimentation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39124,21 +54240,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowFontProviders</NodeName>
-            <DFProperties>
+          <NodeName>AllowFontProviders</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39146,21 +54262,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLocation</NodeName>
-            <DFProperties>
+          <NodeName>AllowLocation</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39168,21 +54284,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowStorageCard</NodeName>
-            <DFProperties>
+          <NodeName>AllowStorageCard</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39190,21 +54306,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowTelemetry</NodeName>
-            <DFProperties>
+          <NodeName>AllowTelemetry</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>3</DefaultValue>
@@ -39212,21 +54328,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUserToResetPhone</NodeName>
-            <DFProperties>
+          <NodeName>AllowUserToResetPhone</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39234,21 +54350,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>BootStartDriverInitialization</NodeName>
-            <DFProperties>
+          <NodeName>BootStartDriverInitialization</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -39256,47 +54372,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>earlylauncham.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>EarlyLaunchAM~AT~System~ELAMCategory</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>POL_DriverLoadPolicy_Name</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableOneDriveFileSync</NodeName>
-            <DFProperties>
+          <NodeName>DisableOneDriveFileSync</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
-            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
+            <Description>This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.</Description>
             <DefaultValue>0</DefaultValue>
             <DFFormat>
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DisableSystemRestore</NodeName>
-            <DFProperties>
+          <NodeName>DisableSystemRestore</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -39304,25 +54420,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>systemrestore.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>SystemRestore~AT~System~SR</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>SR_DisableSR</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>TelemetryProxy</NodeName>
-            <DFProperties>
+          <NodeName>TelemetryProxy</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -39330,15 +54446,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -39361,10 +54477,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowIMELogging</NodeName>
-            <DFProperties>
+          <NodeName>AllowIMELogging</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39372,22 +54488,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowIMENetworkAccess</NodeName>
-            <DFProperties>
+          <NodeName>AllowIMENetworkAccess</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39395,22 +54511,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInputPanel</NodeName>
-            <DFProperties>
+          <NodeName>AllowInputPanel</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39418,22 +54534,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowJapaneseIMESurrogatePairCharacters</NodeName>
-            <DFProperties>
+          <NodeName>AllowJapaneseIMESurrogatePairCharacters</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39441,22 +54557,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowJapaneseIVSCharacters</NodeName>
-            <DFProperties>
+          <NodeName>AllowJapaneseIVSCharacters</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39464,22 +54580,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowJapaneseNonPublishingStandardGlyph</NodeName>
-            <DFProperties>
+          <NodeName>AllowJapaneseNonPublishingStandardGlyph</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39487,22 +54603,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowJapaneseUserDictionary</NodeName>
-            <DFProperties>
+          <NodeName>AllowJapaneseUserDictionary</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39510,22 +54626,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowKeyboardTextSuggestions</NodeName>
-            <DFProperties>
+          <NodeName>AllowKeyboardTextSuggestions</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39533,21 +54649,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowLanguageFeaturesUninstall</NodeName>
-            <DFProperties>
+          <NodeName>AllowLanguageFeaturesUninstall</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39555,22 +54671,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ExcludeJapaneseIMEExceptJIS0208</NodeName>
-            <DFProperties>
+          <NodeName>ExcludeJapaneseIMEExceptJIS0208</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39578,21 +54694,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ExcludeJapaneseIMEExceptJIS0208andEUDC</NodeName>
-            <DFProperties>
+          <NodeName>ExcludeJapaneseIMEExceptJIS0208andEUDC</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39600,22 +54716,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ExcludeJapaneseIMEExceptShiftJIS</NodeName>
-            <DFProperties>
+          <NodeName>ExcludeJapaneseIMEExceptShiftJIS</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39623,16 +54739,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -39655,10 +54771,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowSet24HourClock</NodeName>
-            <DFProperties>
+          <NodeName>AllowSet24HourClock</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39666,16 +54782,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>desktop</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -39698,10 +54814,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>ActiveHoursEnd</NodeName>
-            <DFProperties>
+          <NodeName>ActiveHoursEnd</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>17</DefaultValue>
@@ -39709,21 +54825,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ActiveHoursMaxRange</NodeName>
-            <DFProperties>
+          <NodeName>ActiveHoursMaxRange</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>18</DefaultValue>
@@ -39731,21 +54847,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ActiveHoursStart</NodeName>
-            <DFProperties>
+          <NodeName>ActiveHoursStart</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>8</DefaultValue>
@@ -39753,21 +54869,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowAutoUpdate</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>2</DefaultValue>
@@ -39775,21 +54891,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowMUUpdateService</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoWindowsUpdateDownloadOverMeteredNetwork</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39797,22 +54913,44 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowMUUpdateService</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowNonMicrosoftSignedUpdate</NodeName>
-            <DFProperties>
+          <NodeName>AllowNonMicrosoftSignedUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39820,21 +54958,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUpdateService</NodeName>
-            <DFProperties>
+          <NodeName>AllowUpdateService</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39842,21 +54980,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AutoRestartDeadlinePeriodInDays</NodeName>
-            <DFProperties>
+          <NodeName>AutoRestartDeadlinePeriodInDays</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>7</DefaultValue>
@@ -39864,21 +55002,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AutoRestartNotificationSchedule</NodeName>
-            <DFProperties>
+          <NodeName>AutoRestartNotificationSchedule</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>15</DefaultValue>
@@ -39886,21 +55024,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AutoRestartRequiredNotificationDismissal</NodeName>
-            <DFProperties>
+          <NodeName>AutoRestartRequiredNotificationDismissal</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -39908,21 +55046,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>BranchReadinessLevel</NodeName>
-            <DFProperties>
+          <NodeName>BranchReadinessLevel</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>16</DefaultValue>
@@ -39930,21 +55068,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DeferFeatureUpdatesPeriodInDays</NodeName>
-            <DFProperties>
+          <NodeName>DeferFeatureUpdatesPeriodInDays</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39952,21 +55090,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DeferQualityUpdatesPeriodInDays</NodeName>
-            <DFProperties>
+          <NodeName>DeferQualityUpdatesPeriodInDays</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39974,21 +55112,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DeferUpdatePeriod</NodeName>
-            <DFProperties>
+          <NodeName>DeferUpdatePeriod</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -39996,21 +55134,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DeferUpgradePeriod</NodeName>
-            <DFProperties>
+          <NodeName>DeferUpgradePeriod</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40018,21 +55156,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DetectionFrequency</NodeName>
-            <DFProperties>
+          <NodeName>DetectionFrequency</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>22</DefaultValue>
@@ -40040,21 +55178,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EngagedRestartDeadline</NodeName>
-            <DFProperties>
+          <NodeName>EngagedRestartDeadline</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>14</DefaultValue>
@@ -40062,21 +55200,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EngagedRestartSnoozeSchedule</NodeName>
-            <DFProperties>
+          <NodeName>EngagedRestartSnoozeSchedule</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>3</DefaultValue>
@@ -40084,21 +55222,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>EngagedRestartTransitionSchedule</NodeName>
-            <DFProperties>
+          <NodeName>EngagedRestartTransitionSchedule</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>7</DefaultValue>
@@ -40106,21 +55244,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ExcludeWUDriversInQualityUpdate</NodeName>
-            <DFProperties>
+          <NodeName>ExcludeWUDriversInQualityUpdate</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40128,21 +55266,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>FillEmptyContentUrls</NodeName>
-            <DFProperties>
+          <NodeName>FillEmptyContentUrls</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40150,21 +55288,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IgnoreMOAppDownloadLimit</NodeName>
-            <DFProperties>
+          <NodeName>IgnoreMOAppDownloadLimit</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40172,21 +55310,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>IgnoreMOUpdateDownloadLimit</NodeName>
-            <DFProperties>
+          <NodeName>IgnoreMOUpdateDownloadLimit</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40194,219 +55332,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>PauseDeferrals</NodeName>
-            <DFProperties>
+          <NodeName>ManageBuildPreview</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PauseFeatureUpdates</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PauseFeatureUpdatesStartTime</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PauseQualityUpdates</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PauseQualityUpdatesStartTime</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue></DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>PhoneUpdateRestrictions</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>4</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>RequireDeferUpgrade</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>RequireUpdateApproval</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>ScheduledInstallDay</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>0</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>ScheduledInstallTime</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>3</DefaultValue>
@@ -40414,65 +55354,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>ScheduleImminentRestartWarning</NodeName>
-            <DFProperties>
+          <NodeName>PauseDeferrals</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>15</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>ScheduleRestartWarning</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>4</DefaultValue>
-            <DFFormat>
-              <int/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>SetAutoRestartNotificationDisable</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40480,21 +55376,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>SetEDURestart</NodeName>
-            <DFProperties>
+          <NodeName>PauseFeatureUpdates</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40502,43 +55398,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>UpdateServiceUrl</NodeName>
-            <DFProperties>
+          <NodeName>PauseFeatureUpdatesStartTime</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
-            </AccessType>
-            <Description></Description>
-            <DefaultValue>CorpWSUS</DefaultValue>
-            <DFFormat>
-              <chr/>
-            </DFFormat>
-            <Occurrence>
-                <One />
-            </Occurrence>
-            <Scope>
-                <Permanent />
-            </Scope>
-            <DFType>
-                <MIME>text/plain</MIME>
-            </DFType>
-            </DFProperties>
-        </Node>
-        <Node>
-            <NodeName>UpdateServiceUrlAlternate</NodeName>
-            <DFProperties>
-            <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -40546,16 +55420,412 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PauseQualityUpdates</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PauseQualityUpdatesStartTime</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>PhoneUpdateRestrictions</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>4</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequireDeferUpgrade</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>RequireUpdateApproval</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallDay</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallEveryWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallFirstWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallFourthWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallSecondWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallThirdWeek</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduledInstallTime</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>3</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduleImminentRestartWarning</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>15</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ScheduleRestartWarning</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>4</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SetAutoRestartNotificationDisable</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>SetEDURestart</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UpdateServiceUrl</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>CorpWSUS</DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>UpdateServiceUrlAlternate</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -40578,10 +55848,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowAutoConnectToWiFiSenseHotspots</NodeName>
-            <DFProperties>
+          <NodeName>AllowAutoConnectToWiFiSenseHotspots</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40589,21 +55859,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowInternetSharing</NodeName>
-            <DFProperties>
+          <NodeName>AllowInternetSharing</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40611,21 +55881,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowManualWiFiConfiguration</NodeName>
-            <DFProperties>
+          <NodeName>AllowManualWiFiConfiguration</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40633,21 +55903,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWiFi</NodeName>
-            <DFProperties>
+          <NodeName>AllowWiFi</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40655,21 +55925,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWiFiDirect</NodeName>
-            <DFProperties>
+          <NodeName>AllowWiFiDirect</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40677,21 +55947,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>WLANScanMode</NodeName>
-            <DFProperties>
+          <NodeName>WLANScanMode</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>0</DefaultValue>
@@ -40699,15 +55969,357 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
+        </Node>
+      </Node>
+      <Node>
+        <NodeName>WindowsDefenderSecurityCenter</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>CompanyName</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableAppBrowserUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableEnhancedNotifications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableFamilyUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableHealthUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableNetworkUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableNotifications</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisableVirusUI</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>DisallowExploitProtectionOverride</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Email</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableCustomizedToasts</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>EnableInAppCustomization</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue>0</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Phone</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>URL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description></Description>
+            <DefaultValue></DefaultValue>
+            <DFFormat>
+              <chr/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+            <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -40730,10 +56342,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowSuggestedAppsInWindowsInkWorkspace</NodeName>
-            <DFProperties>
+          <NodeName>AllowSuggestedAppsInWindowsInkWorkspace</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40741,22 +56353,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowWindowsInkWorkspace</NodeName>
-            <DFProperties>
+          <NodeName>AllowWindowsInkWorkspace</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>2</DefaultValue>
@@ -40764,16 +56376,16 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -40796,10 +56408,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>DisableLockScreenAppNotifications</NodeName>
-            <DFProperties>
+          <NodeName>DisableLockScreenAppNotifications</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -40807,25 +56419,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>logon.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Logon~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DisableLockScreenAppNotifications</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>DontDisplayNetworkSelectionUI</NodeName>
-            <DFProperties>
+          <NodeName>DontDisplayNetworkSelectionUI</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue></DefaultValue>
@@ -40833,25 +56445,25 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <chr/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
             <MSFT:ADMXBacked>logon.admx</MSFT:ADMXBacked>
             <MSFT:ADMXCategory>Logon~AT~System~Logon</MSFT:ADMXCategory>
             <MSFT:ADMXPolicyName>DontDisplayNetworkSelectionUI</MSFT:ADMXPolicyName>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>HideFastUserSwitching</NodeName>
-            <DFProperties>
+          <NodeName>HideFastUserSwitching</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.</Description>
             <DefaultValue>0</DefaultValue>
@@ -40859,15 +56471,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
       <Node>
@@ -40890,10 +56502,54 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
           </DFType>
         </DFProperties>
         <Node>
-            <NodeName>AllowProjectionFromPC</NodeName>
-            <DFProperties>
+          <NodeName>AllowMdnsAdvertisement</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
+            </AccessType>
+            <Description>This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowMdnsDiscovery</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.</Description>
+            <DefaultValue>1</DefaultValue>
+            <DFFormat>
+              <int/>
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>AllowProjectionFromPC</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
             </AccessType>
             <Description>This policy allows you to turn off projection from a PC.
                             If you set it to 0, your PC cannot discover or project to other devices.
@@ -40903,21 +56559,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowProjectionFromPCOverInfrastructure</NodeName>
-            <DFProperties>
+          <NodeName>AllowProjectionFromPCOverInfrastructure</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy allows you to turn off projection from a PC over infrastructure.
                             If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct.
@@ -40927,21 +56583,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowProjectionToPC</NodeName>
-            <DFProperties>
+          <NodeName>AllowProjectionToPC</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to turn off projection to a PC
                             If you set it to 0, your PC isn't discoverable and can't be projected to
@@ -40951,22 +56607,22 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
             <MSFT:NotSupportedOnPlatform>phone</MSFT:NotSupportedOnPlatform>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowProjectionToPCOverInfrastructure</NodeName>
-            <DFProperties>
+          <NodeName>AllowProjectionToPCOverInfrastructure</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to turn off projection to a PC over infrastructure.
                             If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct.
@@ -40976,21 +56632,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>AllowUserInputFromWirelessDisplayReceiver</NodeName>
-            <DFProperties>
+          <NodeName>AllowUserInputFromWirelessDisplayReceiver</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description></Description>
             <DefaultValue>1</DefaultValue>
@@ -40998,21 +56654,21 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
         <Node>
-            <NodeName>RequirePinForPairing</NodeName>
-            <DFProperties>
+          <NodeName>RequirePinForPairing</NodeName>
+          <DFProperties>
             <AccessType>
-                <Get />
+              <Get />
             </AccessType>
             <Description>This policy setting allows you to require a pin for pairing.
                             If you turn this on, the pairing ceremony for new devices will always require a PIN
@@ -41022,15 +56678,15 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
               <int/>
             </DFFormat>
             <Occurrence>
-                <One />
+              <One />
             </Occurrence>
             <Scope>
-                <Permanent />
+              <Permanent />
             </Scope>
             <DFType>
-                <MIME>text/plain</MIME>
+              <MIME>text/plain</MIME>
             </DFType>
-            </DFProperties>
+          </DFProperties>
         </Node>
       </Node>
     </Node>
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index e7cb76d8bc..3654fa873f 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
 ---
 
 # SurfaceHub CSP
@@ -127,7 +127,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
 
 <p style="margin-left: 20px">The data type is char.
 
-<a href="" id="deviceaccount-passwordrotationperiod"></a>**DeviceAccount/PasswordRotationPeriod**  
+<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/PasswordRotationEnabled**  
 <p style="margin-left: 20px">Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
 
 <p style="margin-left: 20px">Valid values:
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 503965ca62..6447431681 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/28/2017
 ---
 
 # SurfaceHub DDF file
@@ -281,7 +281,7 @@ The XML below is the current version for this CSP.
                 </DFProperties>
             </Node>
             <Node>
-                <NodeName>PasswordRotationPeriod</NodeName>
+                <NodeName>PasswordRotationEnabled</NodeName>
                 <DFProperties>
                     <AccessType>
                         <Get />
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index d905d434f9..f4b6271552 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -45,7 +45,7 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically
 
 An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
 
-Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies).
 
 ## <a href="" id="admx-files-and-the-group-policy-editor"></a>ADMX files and the Group Policy Editor
 
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 9e26467563..05e8da9fa3 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
 ---
 
 # VPNv2 CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
 
@@ -45,8 +47,6 @@ Supported operations include Get, Add, and Delete.
 
 > **Note**  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
 
- 
-
 <a href="" id="vpnv2-profilename-apptriggerlist"></a>**VPNv2/***ProfileName***/AppTriggerList**  
 Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
 
@@ -91,6 +91,11 @@ The subnet prefix size part of the destination prefix for the route entry. This,
 
 Value type is int. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-routelist-routerowid-metric"></a>**VPNv2/***ProfileName***/RouteList/***routeRowId***/Metric**  
+Added in Windows 10, version 1607. The route's metric.
+
+Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
 <a href="" id="vpnv2-profilename-routelist-routerowid-exclusionroute"></a>**VPNv2/***ProfileName***/RouteList/***routeRowId***/ExclusionRoute**  
 Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
 
@@ -261,7 +266,7 @@ Valid values:
 
 Value type is bool. Supported operations include Get, Add, Replace, and Delete.
 
-<a href="" id="vpnv2-profilename-lockdown"></a>**VPNv2/***ProfileName***/LockDown**  
+<a href="" id="vpnv2-profilename-lockdown"></a>**VPNv2/***ProfileName***/LockDown**  (./Device only profile)  
 Lockdown profile.
 
 Valid values:
@@ -280,6 +285,24 @@ A Lockdown profile must be deleted before you can add, remove, or connect other
 
 Value type is bool. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-devicetunnel"></a>**VPNv2/***ProfileName***/DeviceTunnel**  (./Device only profile)  
+Device tunnel profile.
+
+Valid values:
+
+-   False (default) - this is not a device tunnel profile.
+-   True - this is a device tunnel profile.
+
+When the DeviceTunnel profile is turned on, it does the following things:
+
+-   First, it automatically becomes an "always on" profile.
+-   Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+-   Third, no other device tunnel profile maybe be present on the same machine.
+
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
 <a href="" id="vpnv2-profilename-dnssuffix"></a>**VPNv2/***ProfileName***/DnsSuffix**  
 Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
 
@@ -493,6 +516,8 @@ The following list contains the valid values:
 -   AES128
 -   AES192
 -   AES256
+-   AES\_GCM_128
+-   AES\_GCM_256
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
@@ -542,6 +567,11 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
+<a href="" id="vpnv2-profilename-nativeprofile-disableclassbaseddefaultroute"></a>**VPNv2/***ProfileName***/NativeProfile/DisableClassBasedDefaultRoute**  
+Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
 ## Examples
 
 
@@ -1215,7 +1245,7 @@ Servers
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod</LocURI>
           </Target>
-          <Data>PFS2048</Data>
+          <Data>AES128</Data>
         </Item>
       </Add>
       <Add>
@@ -1224,7 +1254,7 @@ Servers
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod</LocURI>
           </Target>
-          <Data>Eap</Data>
+          <Data>SHA256</Data>
         </Item>
       </Add>
       <Add>
@@ -1233,7 +1263,7 @@ Servers
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup</LocURI>
           </Target>
-          <Data>SHA256</Data>
+          <Data>Group2</Data>
         </Item>
      </Add>
       <Add>
@@ -1242,7 +1272,7 @@ Servers
           <Target>
             <LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup</LocURI>
           </Target>
-          <Data>AES128</Data>
+          <Data>PFS2048</Data>
         </Item>
       </Add>
    
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index f85acf61e2..1312ba1a63 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
 ---
 
 # VPNv2 DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider.
 
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@@ -33,7 +35,7 @@ The XML below is the current version for this CSP.
     <VerDTD>1.2</VerDTD>
     <Node>
         <NodeName>VPNv2</NodeName>
-        <Path>./Vendor/MSFT</Path>
+        <Path>./Device/Vendor/MSFT</Path>
         <DFProperties>
             <AccessType>
                 <Get />
@@ -48,7 +50,7 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-				<MIME>com.microsoft/1.2/MDM/VPNv2</MIME>
+                <MIME>com.microsoft/1.3/MDM/VPNv2</MIME>
             </DFType>
         </DFProperties>
         <Node>
@@ -310,7 +312,7 @@ The XML below is the current version for this CSP.
                                 <Delete />
                                 <Replace />
                             </AccessType>
-                            <Description>                          
+                            <Description>
                               False = This Route will direct traffic over the VPN
                               True = This Route will direct traffic over the physical interface
                               By default, this value is false.
@@ -953,6 +955,43 @@ The XML below is the current version for this CSP.
                     </DFType>
                 </DFProperties>
             </Node>
+            <Node>
+                <NodeName>DeviceTunnel</NodeName>
+                <DFProperties>
+                    <AccessType>
+                        <Add />
+                        <Delete />
+                        <Get />
+                        <Replace />
+                    </AccessType>
+                    <Description>
+                        False = This is not a Device Tunnel profile and it is the default value.
+                        True = This is a Device Tunnel profile.
+
+                        If turned on a device tunnel profile does four things.
+                        First, it automatically becomes an always on profile.
+                        Second, it does not require the presence or logging in
+                        of any user to the machine in order for it to connect.
+                        Third, no other Device Tunnel profile maybe be present on the
+                        Same machine.
+
+                        A device tunnel profile must be deleted before another device tunnel
+                        profile can be added, removed, or connected.
+                    </Description>
+                    <DFFormat>
+                        <bool />
+                    </DFFormat>
+                    <Occurrence>
+                        <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                        <Dynamic />
+                    </Scope>
+                    <DFType>
+                        <MIME>text/plain</MIME>
+                    </DFType>
+                </DFProperties>
+            </Node>
             <Node>
                 <NodeName>DnsSuffix</NodeName>
                 <DFProperties>
@@ -1996,6 +2035,8 @@ The XML below is the current version for this CSP.
                       -- AES128
                       -- AES192
                       -- AES256
+                      -- AES_GCM_128
+                      -- AES_GCM_256
                     </Description>
                     <DFFormat>
                       <chr />
@@ -2180,7 +2221,7 @@ The XML below is the current version for this CSP.
                 <Permanent />
             </Scope>
             <DFType>
-                <DDFName></DDFName>
+                <MIME>com.microsoft/1.3/MDM/VPNv2</MIME>
             </DFType>
         </DFProperties>
         <Node>
@@ -4087,6 +4128,8 @@ The XML below is the current version for this CSP.
                       -- AES128
                       -- AES192
                       -- AES256
+                      -- AES_GCM_128
+                      -- AES_GCM_256
                     </Description>
                     <DFFormat>
                       <chr />
@@ -4255,14 +4298,4 @@ The XML below is the current version for this CSP.
         </Node>
     </Node>
 </MgmtTree>
-```
-
- 
-
- 
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index b4b671369b..665ae99cae 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
 
 # WindowsAdvancedThreatProtection CSP
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
 
 The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 00afc29c8a..196883556d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
 
 # WindowsAdvancedThreatProtection DDF file
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML.
 
 You can download the DDF files from the links below:
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
new file mode 100644
index 0000000000..3df07a32ad
--- /dev/null
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -0,0 +1,95 @@
+---
+title: WindowsDefenderApplicationGuard CSP
+description: WindowsDefenderApplicationGuard CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 06/27/2017
+---
+
+# WindowsDefenderApplicationGuard CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
+
+The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
+
+![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png)
+
+<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**  
+<p style="margin-left: 20px">Root node. Supported operation is Get.</p>
+<p style="margin-left: 20px"></p>
+
+<a href="" id="settings"></a>**Settings**  
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**  
+<p style="margin-left: 20px">Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+ 
+ - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
+ - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. 
+
+<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**  
+<p style="margin-left: 20px">Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+- 0 - Allow text copying.
+- 1 - Allow text and image copying.
+
+<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**  
+<p style="margin-left: 20px">This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete</p>
+
+- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
+- 1 - Turns On the clipboard functionality and lets you choose whether to additionally enable copying of certain content from Application Guard into Microsoft Edge and enable copying of certain content from Microsoft Edge into Application Guard.
+
+> [!Important]  
+> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. 
+
+<a href="" id="printingsettings"></a>**Settings/PrintingSettings**  
+<p style="margin-left: 20px">This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+- 0 - Disables all print functionality (default)
+- 1 - Enables only XPS printing
+- 2 - Enables only PDF printing
+- 3 - Enables both PDF and XPS printing
+- 4 - Enables only local printing
+- 5 - Enables both local and XPS printing    - 6 - Enables both local and PDF printing
+- 7 - Enables local, PDF, and XPS printing
+- 8 - Enables only network printing
+- 9 - Enables both network and XPS printing
+- 10 - Enables both network and PDF printing
+- 11 - Enables network, PDF, and XPS printing
+- 12 - Enables both network and local printing
+- 13 - Enables network, local, and XPS printing
+- 14 - Enables network, local, and PDF printing
+- 15 - Enables all printing
+
+<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**  
+<p style="margin-left: 20px">This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
+- 1 (default) -  Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
+
+<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**  
+<p style="margin-left: 20px">This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
+- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
+
+<a href="" id="status"></a>**Status**  
+<p style="margin-left: 20px">Returns status on Application Guard installation and pre-requisites. Value type is integer. Supported operation is Get.</p>
+
+<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**  
+<p style="margin-left: 20px">Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.</p>
+
+<a href="" id="audit"></a>**Audit**  
+<p style="margin-left: 20px">Interior node. Supported operation is Get</p>
+
+<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**  
+<p style="margin-left: 20px">This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+- 0 (default) - - Audit event logs aren't collected for Application Guard.
+- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
new file mode 100644
index 0000000000..d70c704083
--- /dev/null
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -0,0 +1,290 @@
+---
+title: WindowsDefenderApplicationGuard DDF file
+description: WindowsDefenderApplicationGuard DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 06/27/2017
+---
+
+# WindowsDefenderApplicationGuard DDF file
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. 
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+      <Node>
+        <NodeName>WindowsDefenderApplicationGuard</NodeName>
+        <Path>./Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>com.microsoft/1.1/MDM/WindowsDefenderApplicationGuard</MIME>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Settings</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>AllowWindowsDefenderApplicationGuard</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>ClipboardFileType</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>ClipboardSettings</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>PrintingSettings</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>BlockNonEnterpriseContent</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+                <Delete />
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+          <Node>
+            <NodeName>AllowPersistence</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Status</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InstallWindowsDefenderApplicationGuard</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Exec />
+            </AccessType>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Audit</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>AuditApplicationGuard</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Add />
+                <Delete />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <int />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+      </Node>
+</MgmtTree>
+```
\ No newline at end of file
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 06c0919533..0b67cbdc42 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # New policies for Windows 10
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index ea6eb5cda2..7a13a7bc93 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Reset a Windows 10 Mobile device
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 0d6a833f58..390d23a40e 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices, security
-localizationpriority: high
+ms.localizationpriority: high
 author: AMeeus
 ---
 
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index 871ff7e560..cb11a4d0d9 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -6,41 +6,32 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
-ms.author: brianlic
+ms.localizationpriority: high
+author: eross-msft
+ms.author: lizross
 ---
 
 
 # Windows 10, version 1703 basic level Windows diagnostic events and fields
 
-
  **Applies to**
 
-- Windows 10, version 1703
+- Windows 10, version 1703 and later
 
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level also helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
-
-The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
-
-Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
-
-You can learn more about Windows functional and diagnostic data through these articles:
-
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
 
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
 
-
-
+>[!Note]
+>Updated July 2017 to document new and modified events. We’ve added new fields to several Appraiser events to prepare for upgrades to the next release of Windows and we’ve added a brand-new event, Census.Speech, to collect basic details about speech settings and configuration.
 
 ## Common data extensions
 
 ### Common Data Extensions.App
 
- 
-
 The following fields are available:
 
 - **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
@@ -51,8 +42,6 @@ The following fields are available:
 
 ### Common Data Extensions.CS
 
- 
-
 The following fields are available:
 
 - **sig**  A common schema signature that identifies new and modified event schemas.
@@ -60,8 +49,6 @@ The following fields are available:
 
 ### Common Data Extensions.CUET
 
- 
-
 The following fields are available:
 
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
@@ -258,8 +245,23 @@ This event lists the types of objects and how many of each exist on the client d
 
 The following fields are available:
 
+- **DatasourceApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device. on this device.
+- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile**  The total InventoryApplicationFile objects that are present on this device.
+- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
 - **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
 - **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
 - **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
@@ -274,6 +276,7 @@ The following fields are available:
 - **SystemWim**  The total SystemWim objects that are present on this device
 - **SystemTouch**  The total SystemTouch objects that are present on this device.
 - **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
+- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
@@ -282,6 +285,21 @@ This event lists the types of objects and the hashed values of all the identifie
 
 The following fields are available:
 
+- **DatasourceApplicationFile_RS3**	The total DatasourceApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**	The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
 - **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
 - **InventoryApplicationFile**  The SHA256 hash of InventoryApplicationFile objects that are present on this device.
 - **InventoryMediaCenter**  The SHA256 hash of InventoryMediaCenter objects that are present on this device.
@@ -298,6 +316,7 @@ The following fields are available:
 - **SystemWim**  The SHA256 hash of SystemWim objects that are present on this device.
 - **SystemTouch**  The SHA256 hash of SystemTouch objects that are present on this device.
 - **SystemWindowsActivationStatus**  The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
+- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
@@ -1617,15 +1636,15 @@ This event is used to gather basic speech settings on the device.
 
 The following fields are available:
 
-- **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
-- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
-- **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
-- **AboveLockEnabled**  Cortana setting that represents if Cortana can be invoked when the device is locked.
-- **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
-- **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
-- **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **AboveLockEnabled**	Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization**	Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled**	Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote**	Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled**	Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization**	Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged**	Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled**	Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled**	Windows setting that represents whether a user is opted-in for speech services on the device.
 
 
 ### Census.Storage
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 7fa036486d..9d2b98bf69 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
@@ -14,10 +14,20 @@ author: jdeckerms
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## July 2017
+| New or changed topic | Description |
+| --- | --- |
+| [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
+| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
+|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
+| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
+
 ## June 2017
 
 | New or changed topic | Description |
 | --- | --- |
+| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added guidelines for using Remote Desktop app as the kiosk app and added a general guideline that apps generated using the Desktop App Converter cannot be used for kiosk apps |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added warning about using Shell Launcher to set a custom shell with an application that launches a different process and then exits |
 | [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) | Removed references to imaging |
 
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 0cdcbc76fc..36cb3a412a 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
@@ -55,7 +55,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 </tr>
 <tr class="even">
 <td align="left">Prevent users from customizing their Start Screen</td>
-<td align="left"><p>Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it</p></td>
+<td align="left"><p>Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it</p></td>
 </tr>
 <tr class="odd">
 <td align="left">Prevent users from uninstalling applications from Start</td>
diff --git a/windows/configuration/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md
index 93a12aba20..935f14bc0d 100644
--- a/windows/configuration/configure-devices-without-mdm.md
+++ b/windows/configuration/configure-devices-without-mdm.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile, devices
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Configure devices without MDM
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 7b332830bc..3e9fff0d5c 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Configure Windows 10 taskbar
 
diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md
index 10b155e2d8..1aec75a995 100644
--- a/windows/configuration/configure-windows-telemetry-in-your-organization.md
+++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index a1011e2397..7630406f0d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index fc46c6b7ee..61bf864982 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Send feedback about Cortana at work back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index b9b9f1f63c..bffa8f1644 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana with Office 365 in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index c6a9a191ca..2a3d087da8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Cortana integration in your business or enterprise
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 06a4b3cf08..5dd38b8ec8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 26579a4c9c..1eef8c58d2 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 54b801cabc..3d96f92396 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index af1b1610ae..d51d5c4c88 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 2 - Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index 540ea0bb4b..b04d11d615 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index cf313aa77c..df57f9ca9d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 4 - Use Cortana at work to find your upcoming meetings
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 5df8bb1b2e..8306c2143a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 5 - Use Cortana to send email to a co-worker
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index f369b838fb..1274f67445 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 7fff5ef044..051d96937f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index fa88b44c54..070192c8e0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index def19d5939..0738115be9 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and test custom voice commands in Cortana for your organization
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 8a06655003..bad5148d3a 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Customize and export Start layout
@@ -40,7 +40,9 @@ You can deploy the resulting .xml file to devices using one of the following met
 
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
-## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
+
+<span id="bkmkcustomizestartscreen" />
+## Customize the Start screen on your test computer
 
 
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@@ -69,6 +71,11 @@ To prepare a Start layout for export, you simply customize the Start layout on a
     -   **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
 
     -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
+    
+>[!IMPORTANT]
+>In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
+>
+>In earlier versions of Windows 10, no tile would be pinned.
 
 <span id="bmk-exportstartscreenlayout" />
 ## Export the Start layout
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 816c2dfba0..1313186ea4 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 3a731ffc48..544462e2ea 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -16,16 +16,16 @@ localizationpriority: medium
 **Applies to**
 
 - Windows 10
-- Windows 10 Mobile
+
 
 >**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
 
 >[!NOTE]
 >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
 
 >[!WARNING] 
 >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
@@ -118,10 +118,9 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
     | **Setting description**      | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
     | **Data type**                | **String**                                                                                                        |
     | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout**                                                            |
-    | **Value**                    | Paste the contents of the Start layout .xml file that you created.                                                              |
+    | **Value**                    | Paste the contents of the Start layout .xml file that you created.               |
 
      
-
 7.  Click **OK** to save the setting and return to the **Create Policy** page.
 
 8.  Click **Save Policy**.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 2046f28cd5..c4a13cef3a 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Customize Windows 10 Start and taskbar with provisioning packages
@@ -16,16 +16,16 @@ localizationpriority: medium
 **Applies to**
 
 - Windows 10
-- Windows 10 Mobile
+
 
 >**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
-In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
 >[!IMPORTANT]
 >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-devices/mobile-lockdown-designer.md) for mobile.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
 
 ## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index fc598eebe1..963f69e6ae 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -6,7 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 06/29/2017
 ---
 
 # Guidelines for choosing an app for assigned access (kiosk mode)
@@ -27,6 +29,14 @@ The following guidelines may help you choose an appropriate Windows app for your
 
 - Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. 
 
+- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) cannot be used as kiosk apps.
+
+## Guidelines for using Remote Desktop app 
+
+Kiosk apps open in full screen. When you assign [Remote Desktop](https://www.microsoft.com/store/apps/9wzdncrfj3ps) as the kiosk app, make sure the **Start connections in full screen** setting in the Remote Desktop app is set to **Off**.
+
+![Toggle Start connections in full screen to off](images/rdc.png)
+
 
 ## Guidelines for Windows apps that launch other apps
 
@@ -36,12 +46,11 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 
 ## Guidelines for web browsers
 
-Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. 
+Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not supported for assigned access.
 
 If you use a web browser as your assigned access app, consider the following tips: 
 
 - You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
-- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorer’s web address bar. 
 - You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
    - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) 
    - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
diff --git a/windows/configuration/images/rdc.png b/windows/configuration/images/rdc.png
new file mode 100644
index 0000000000..e0ea9ef548
Binary files /dev/null and b/windows/configuration/images/rdc.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 1432e34058..df0e8e3a76 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index 97daba286f..21d8d0d394 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index fd04412683..445d25bf22 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lock down Windows 10 to specific apps
diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
index 3d2b718c3d..0bcecb6b1a 100644
--- a/windows/configuration/lock-down-windows-10.md
+++ b/windows/configuration/lock-down-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lock down Windows 10
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index c7ee249a2d..1477240276 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Lockdown features from Windows Embedded 8.1 Industry
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 51841c4ad0..2f2bd2b989 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -6,10 +6,10 @@ keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic-msft
-ms.date: 06/13/2017
+ms.date: 07/28/2017
 ---
 
 # Manage connections from Windows operating system components to Microsoft services
@@ -81,7 +81,7 @@ See the following table for a summary of the management settings for Windows 10
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
@@ -132,7 +132,7 @@ See the following table for a summary of the management settings for Windows Ser
 | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
-| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | |
 | [17. Settings > Privacy](#bkmk-settingssection) | | | | |
@@ -296,7 +296,7 @@ After that, configure the following:
 -   Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
     
     > [!NOTE]  
-    > This is only available on Windows 10, version 1703 and later.
+    > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Windows Time Service** &gt; **Time Providers** &gt; **Enable Windows NTP Client**
 
     -or -
 
@@ -1690,12 +1690,11 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
 
 - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
 
+    > [!NOTE]  
+    > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
+
     -or-
 
--   Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-
-	-and-
-
 -   Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
 
 If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index de1c017907..4485b5e7e7 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 and Microsoft Store tips, tricks, and suggestions
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 6f0d6a2526..d66b267355 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: eross-msft
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Manage Wi-Fi Sense in your company
diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md
index ecb327e4a5..6fe4753762 100644
--- a/windows/configuration/mobile-devices/configure-mobile.md
+++ b/windows/configuration/mobile-devices/configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index 054f2423b3..13c5609760 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Windows 10 Mobile using Lockdown XML
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 4c7a24ae08..98d2c703e6 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
index a3076896bb..839f23d947 100644
--- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
+++ b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Product IDs in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 07adaea24d..7da86c0ac6 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index e9da325a36..1885282b41 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # NFC-based device provisioning
diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md
index 3204fd85b1..1e44466908 100644
--- a/windows/configuration/mobile-devices/provisioning-package-splitter.md
+++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Barcode provisioning and  the package splitter tool
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 32ff70af9b..d5aadcad3e 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index 5f5c0e2193..1a2a59eb33 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: mobile
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings and quick actions that can be locked down in Windows 10 Mobile
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index fb967c625a..f7d4204adb 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Start layout XML for mobile editions of Windows 10 (reference)
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index f1aeed6ade..72b2e23caf 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerMS
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure cellular settings for tablets and PCs
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 655266907f..b62bdf4c0b 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Introduction to configuration service providers (CSPs) for IT pros
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 8c55fb568e..859a33f7bd 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -7,7 +7,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with common settings for initial deployment (desktop wizard)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index de91fcd4cb..932bc297e9 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with apps and certificates for initial deployment (advanced provisioning)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 835fa8a371..e818979df8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provision PCs with apps 
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 5ff8a5efe4..c12120567c 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Apply a provisioning package
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 1204c7c83d..5eda051a35 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Configuration Designer command-line interface (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 6607c821d3..dc25ab7ceb 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a provisioning package for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index e5acff9568..0596ad5024 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # How provisioning works in Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index ba730bf0b5..e4bec41c89 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install Windows Configuration Designer
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 9a54b72f77..6da2cc4314 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a provisioning package with multivariant settings
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 3b50ac1ed9..f9d607c19c 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Provisioning packages for Windows 10
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 28621fa4b0..27015f653b 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # PowerShell cmdlets for provisioning Windows 10 (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index e53ee20836..e3de647451 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use a script to install a desktop app in provisioning packages
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index fcfca68990..5cbafce644 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Settings changed when you uninstall a provisioning package
diff --git a/windows/configuration/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md
index cce5f6428b..af7765d2f8 100644
--- a/windows/configuration/set-up-a-device-for-anyone-to-use.md
+++ b/windows/configuration/set-up-a-device-for-anyone-to-use.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a device for anyone to use (kiosk mode)
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 41b090e5e9..7a5fa6db77 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a kiosk on Windows 10 Pro, Enterprise, or Education
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 7a88e367cf..192728ded1 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -6,7 +6,7 @@ ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up a shared or guest PC with Windows 10
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 5c1898026e..0bf7db49e7 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.date: 06/13/2017
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Start layout XML for desktop editions of Windows 10 (reference)
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 7480c4532f..43804a9a80 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
@@ -37,6 +37,25 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 
 ![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
 
+**Example of secondary tiles in XML generated by Export-StartLayout**
+
+```
+<start:SecondaryTile 
+    AppUserModelID="Microsoft.Windows.Edge_cw5n1h2txyewy!Microsoft.Edge.Edge" 
+    TileID="-9513911450" 
+    DisplayName="Bing" 
+    Size="2x2" 
+    Column="0" 
+    Row="0" 
+    Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" 
+    Wide310x150LogoUri="ms-appx:///" 
+    ShowNameOnSquare150x150Logo="true" 
+    ShowNameOnWide310x150Logo="true" 
+    BackgroundColor="#7fffffff" 
+  />
+```
+
+
 
 ## Export Start layout and assets
 
@@ -53,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
     - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` 
     - Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+    
     >[!TIP]
     >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
         
@@ -80,6 +100,94 @@ In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting,
 | **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets**    
 | **Value**                    | Paste the contents of the assets.xml file that you created.                                 |
 
+**Example XML string value for the Start/ImportEdgeAssets policy**
+
+```
+<SecondaryTileAssets>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\30382655640\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\29499280780\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\2819959990\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\39721989420\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg==</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+  <SecondaryTileAsset>
+
+    <RelativeFilePath><![CDATA[PinnedTiles\25495229280\lowres.png]]></RelativeFilePath>
+
+    <Base64EncodedImage>iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII=</Base64EncodedImage>
+
+  </SecondaryTileAsset>
+
+</SecondaryTileAssets>
+```
+
 ### Using a provisioning package
 
 <span id="escape" />
diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md
index cad0f022bc..87b59d4a68 100644
--- a/windows/configuration/start-taskbar-lockscreen.md
+++ b/windows/configuration/start-taskbar-lockscreen.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: jdeckerms
 ---
 
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-the-windows-store.md
index 43f1bbb647..f8b7650447 100644
--- a/windows/configuration/stop-employees-from-using-the-windows-store.md
+++ b/windows/configuration/stop-employees-from-using-the-windows-store.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store, mobile
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure access to Microsoft Store
@@ -59,10 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu
 ## <a href="" id="block-store-group-policy"></a>Block Microsoft Store using Group Policy
 
 
-Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education 
+Applies to: Windows 10 Enterprise, Windows 10 Education 
 
 > [!Note]
-> Not supported on Windows 10 Pro.
+> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](https://support.microsoft.com/kb/3135657).
 
 You can also use Group Policy to manage access to Microsoft Store.
 
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 5fc6d0a993..10de96a306 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows 10 Start and taskbar layout
diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md
index 88a4339635..611432abea 100644
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@@ -5,7 +5,7 @@ keywords: privacy,Windows 10
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index c68dd7afa0..9a9b601234 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Windows Spotlight on the lock screen
@@ -69,6 +69,8 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
 
 >[!WARNING]
 > In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
+>
+> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release.
 
 ![lockscreen policy details](images/lockscreenpolicy.png)
 
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 7dc9c4e629..9881348c83 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -1,19 +1,51 @@
-# [Deploy, Upgrade and Update Windows 10](index.md)
+# [Deploy and update Windows 10](index.md)
 
-## Deploy Windows 10
-### [What's new in Windows 10 deployment](deploy-whats-new.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
+## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+
+## [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+### [Configure VDA for Subscription Activation](vda-subscription-activation.md)
+### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
+## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+
+## [Deploy Windows 10](deploy.md)
+### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
+### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
+
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+
+### [Windows 10 deployment test lab](windows-10-poc.md)
+#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
 
 ### [Plan for Windows 10 deployment](planning/index.md)
 #### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
 #### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
 #### [Windows 10 compatibility](planning/windows-10-compatibility.md)
 #### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
-#### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
-##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
-##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
-##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
-##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
-##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+
+#### [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
+##### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
+##### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
+##### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md)
+##### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md)
+##### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
+##### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
+##### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
+
 #### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
 ##### [SUA User's Guide](planning/sua-users-guide.md)
 ###### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
@@ -39,15 +71,61 @@
 ####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
 ###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
 ##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
 #### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
 
-### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
+### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
+##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
+##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
+##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
 
-### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
+##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
+##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
+##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
+##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
+##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
+##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
 
-### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
-#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
+#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+
+### [Windows 10 deployment tools](windows-10-deployment-tools.md)
+
+#### [Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md)
+#### [Convert MBR partition to GPT](mbr-to-gpt.md)
+#### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 #### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+#### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+##### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
+###### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
+###### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
+###### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
+###### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
+###### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+
 #### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
 ##### [Introduction to VAMT](volume-activation/introduction-vamt.md)
 ##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
@@ -132,71 +210,14 @@
 ####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
 ###### [Offline Migration Reference](usmt/offline-migration-reference.md)
 
-### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
-#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
-##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
-##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
-#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
-#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
-#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
-#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
-#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
-##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
-##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
-##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
-##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
-##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
-##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
-##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
-#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-
-### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-## Upgrade to Windows 10
-### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
-### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
-### [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md)
 
 ## [Update Windows 10](update/index.md)
 ### [Quick guide to Windows as a service](update/waas-quick-start.md)
 ### [Overview of Windows as a service](update/waas-overview.md)
 ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
 ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
-### [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md)
+### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
 ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
 #### [Get started with Update Compliance](update/update-compliance-get-started.md)
 #### [Use Update Compliance](update/update-compliance-using.md)
@@ -218,18 +239,24 @@
 #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
 ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
 
-## [Convert MBR partition to GPT](mbr-to-gpt.md)
-## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
-## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+## Windows Analytics
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
+#### [Get started with Update Compliance](update/update-compliance-get-started.md)
+#### [Use Update Compliance](update/update-compliance-using.md)
+### [Device Health](update/device-health-monitor.md)
+#### [Get started with Device Health](update/device-health-get-started.md)
+#### [Using Device Health](update/device-health-using.md)
 
-## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
-### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
-### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
-### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md)
-### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md)
-### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
-### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
-### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
-
-## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md)
\ No newline at end of file
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
\ No newline at end of file
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
new file mode 100644
index 0000000000..291aa15115
--- /dev/null
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -0,0 +1,83 @@
+---
+title: Add Microsoft Store for Business applications to a Windows 10 image
+description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image.
+keywords: upgrade, update, windows, windows 10, deploy, store, image, wim
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 07/07/2017
+---
+
+# Add Microsoft Store for Business applications to a Windows 10 image
+
+**Applies to**
+
+-   Windows 10
+
+This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
+
+>[!IMPORTANT]
+>In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+## Prerequisites
+
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
+
+* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/store-for-business/distribute-offline-apps#download-an-offline-licensed-app).
+
+* A Windows Image. For instructions on image creation, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) or [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+>[!NOTE]
+> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)**.
+
+## Adding a Store application to your image
+
+On a machine where your image file is accessible:
+1. Open Windows PowerShell with administrator privileges.
+2. Mount the image. At the Windows PowerShell prompt, type:
+`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
+3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
+`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>Do not dismount the image, as you will return to it later.
+
+## Editing the Start Layout
+
+In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+
+On a test machine:
+1. **Install the Microsoft Store for Business application you previously added** to your image.
+2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
+3. Open Windows PowerShell with administrator privileges.
+4. Use `Export-StartLayout -path <path><file name>.xml` where *<path><file name>* is the path and name of the xml file your will later import into your Windows Image.
+5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
+
+Now, on the machine where your image file is accessible:
+1. Import the Start layout. At the Windows PowerShell prompt, type: 
+`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
+2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
+`Dismount-WindowsImage -Path c:\test -Save`
+
+>[!NOTE]
+>Paths and file names are examples. Use your paths and file names where appropriate.
+>
+>For more information on Start customization see [Windows 10 Start Layout Customization](https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/)
+
+
+## Related topics
+* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+* [Export-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/export-startlayout)
+* [Import-StartLayout](https://technet.microsoft.com/itpro/powershell/windows/startlayout/import-startlayout)
+* [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
+* [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+* [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
+
+
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index 7353568c47..3442d7e48a 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -12,6 +12,11 @@ ms.date: 06/28/2017
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
 
+## July 2017
+| New or changed topic | Description |
+|----------------------|-------------|
+| The table of contents for deployment topics was reorganized.
+
 ## June 2017
 | New or changed topic | Description |
 |----------------------|-------------|
@@ -59,18 +64,18 @@ The topics in this library have been updated for Windows 10, version 1703 (also
 | [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) | New | 
 | [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) | New | 
 | [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | New | 
-| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) | New (previously published in other topics) | 
-| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package.md) | New (previously published in Hardware Dev Center on MSDN) | 
-| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line.md) | New (previously published in Hardware Dev Center on MSDN) |
+| [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) | New (previously published in other topics) | 
+| [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Create a provisioning package with multivariant settings](/windows/configuration/provisioning-packages/provisioning-multivariant) | New (previously published in Hardware Dev Center on MSDN) | 
+| [How provisioning works in Windows 10](/windows/configuration/provisioning-packages/provisioning-how-it-works) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Install Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) | New (previously published in Hardware Dev Center on MSDN) |
+| [NFC-based device provisioning](/windows/configuration/mobile-devices/provisioning-nfc) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Settings changed when you uninstall a provisioning package](/windows/configuration/provisioning-packages/provisioning-uninstall-package) | New (previously published in Hardware Dev Center on MSDN) | 
+| [Use a script to install a desktop app in provisioning packages](/windows/configuration/provisioning-packages/provisioning-script-to-install-app) | New (previously published in Hardware Dev Center on MSDN) |
+| [Windows ICD command-line interface (reference)](/windows/configuration/provisioning-packages/provisioning-command-line) | New (previously published in Hardware Dev Center on MSDN) |
 | [Get started with Upgrade Analytics](upgrade/upgrade-readiness-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | 
-| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
-| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package.md) |
+| [Provision PCs with common settings for initial deployment (simple provisioning)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
+| [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) | Instructions for applying the provisioning package moved to [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) |
 
 
 ## October 2016
@@ -130,5 +135,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 ## Related topics
 - [Change history for Plan for Windows 10 deployment](/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment)
 - [Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-- [Change history for Access Protection](/windows/device-security/change-history-for-device-security)
-- [Change history for Access Protection](/windows/threat-protection/change-history-for-threat-protection)
+- [Change history for Device Security](/windows/device-security/change-history-for-device-security)
+- [Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index f0830b38a4..fee340161a 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -4,7 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
 keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
new file mode 100644
index 0000000000..6881363aa1
--- /dev/null
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -0,0 +1,195 @@
+---
+title: Deploy Windows 10 Enterprise licenses
+description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Deploy Windows 10 Enterprise licenses
+
+This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
+
+>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
+>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
+
+Also in this article:
+- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
+- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
+
+## Active Directory synchronization with Azure AD
+
+You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
+
+You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
+
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+
+![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
+
+**Figure 1. On-premises AD DS integrated with Azure AD**
+
+For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
+
+-   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
+-   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
+
+## Preparing for deployment: reviewing requirements
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
+
+## Assigning licenses to users
+
+Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
+
+![profile](images/al01.png)
+
+The following methods are available to assign licenses:
+
+1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+2. You can sign in to portal.office.com and manually assign licenses:
+
+    ![portal](images/al02.png)
+
+3. You can assign licenses by uploading a spreadsheet.
+4. A per-user [PowerShell scripted method](http://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. 
+
+## Explore the upgrade experience
+
+Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
+
+### Step 1: Join users’ devices to Azure AD
+
+Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
+
+**To join a device to Azure AD the first time the device is started**
+
+1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+
+    <img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+    <img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+    <img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
+    
+    **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
+
+1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
+
+    <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
+    
+    **Figure 5. Connect to work or school configuration in Settings**
+
+2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+    <img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
+    
+    **Figure 6. Set up a work or school account**
+
+3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+    <img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
+    
+    **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 3: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
+
+<span id="win-10-activated-subscription-active"/>
+<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
+
+<BR>**Figure 9 - Windows 10 Enterprise subscription in Settings** <BR>
+
+
+If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+
+- The existing Windows 10 Pro, version 1703 operating system is not activated.
+
+- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+
+- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
+
+- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+
+- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
+
+<BR>
+
+<span id="win-10-not-activated"/>
+<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
+<BR>**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**<BR>
+
+<BR>
+
+<span id="subscription-not-active"/>
+<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
+<BR>**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
+
+<BR>
+
+<span id="win-10-not-activated-subscription-not-active"/>
+<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
+<BR>**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
+
+
+### Review requirements on devices
+
+Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+
+**To determine if a device is Azure Active Directory joined:**
+
+1.  Open a command prompt and type **dsregcmd /status**.
+
+2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+
+**To determine the version of Windows 10:**
+
+-   At a command prompt, type:
+    **winver**
+
+    A popup window will display the Windows 10 version number and detailed OS build information.
+
+    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e872024dd2..fddacf3a05 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 deployment
 description: Changes and new features related to Windows 10 deployment
 keywords: deployment, automate, tools, configure, news
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
@@ -26,13 +26,21 @@ This topic provides an overview of new solutions and online content related to d
 
 ## Windows 10 Enterprise upgrade
 
+Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
+
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
 
-For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
 
 
 ## Deployment solutions and tools
 
+### Windows AutoPilot
+
+Windows AutoPilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows AutoPilot to reset, repurpose and recover devices.
+
+Windows AutoPilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows AutoPilot](windows-10-auto-pilot.md).
+
 ### Upgrade Readiness
 
 The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
@@ -55,6 +63,9 @@ Update Compliance is a solution built using OMS Logs and Analytics that provides
 
 For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
 
+### Device Health
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes.  Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
 
 ### MBR2GPT
 
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 7fbd9c8386..b5a1920b19 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
 keywords: settings, database, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index c253293a7e..af480bfc6a 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -5,7 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
 keywords: replication, replicate, deploy, configure, remote
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index bfcbdd5e6b..ba27f0da53 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -5,7 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
 keywords: rules, configuration, automate, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index c168bda59d..726a04ca82 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -5,7 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
 keywords: rules, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index b01d3341c6..1646c5ed79 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -5,7 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
 keywords: customize, customization, deploy, features, tools
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 123fe228b3..34503a310e 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
 keywords: deploy, upgrade, task sequence, install
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mdt
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 128b74d5b1..c6d38e7d4d 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -5,7 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
 keywords: deploy, deployment, configure, customize, install, installation
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 7249255dfd..f98e4c4744 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
 keywords: deployment, automate, tools, configure
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
index def335f1b1..ea7feeecfa 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
 keywords: deploy, tools, configure, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ms.pagetype: mdt
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index b27fa998b0..a954a1ef62 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
 keywords: deploy, image, feature, install, tools
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
index 859c8043e2..84f0f4a09e 100644
--- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
 ms.pagetype: mdt
 keywords: deploy, image, customize, task sequence
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
index b7b5b506bc..7cef6c1c1c 100644
--- a/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/key-features-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
 keywords: deploy, feature, tools, upgrade, migrate, provisioning
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
index f4e26d87e0..c681e75dfc 100644
--- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
+++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md
@@ -5,7 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
 keywords: deploy, install, deployment, boot, log, monitor
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 31098f8dce..7aa852d395 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
 keywords: deploy, system requirements
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index b2f30e6e6d..f142ee7e3f 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -5,7 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
 keywords: reinstallation, customize, template, script, restore
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index aeae4e9b05..88573ebf1d 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -5,7 +5,7 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
 keywords: deploy, deployment, replace
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 48879c632c..9f0765935d 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -5,7 +5,7 @@ description:
 keywords: disk, encryption, TPM, configure, secure, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 815df1eb56..aa93bb9261 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -5,7 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
 keywords: deploy, script
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 7b7aedc7f7..8b4ca7e777 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
 keywords: web services, database
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 8c3f5e61f8..7a24e08ad7 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -6,7 +6,7 @@ ms.pagetype: mdt
 keywords: database, permissions, settings, configure, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 73848f2618..3dea162597 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -5,7 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
 keywords: deploy, web apps
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mdt
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 5bc508fcfb..35bf254314 100644
--- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
 keywords: image, deploy, distribute
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
 
diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 26edb53a36..c7900eb237 100644
--- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
 ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
 keywords: deploy, task sequence
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
 
diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 8f39c84fb0..162a079354 100644
--- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
 keywords: tool, customize, deploy, boot image
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
 
diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 74a433d179..ad81044f04 100644
--- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -4,7 +4,7 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
 ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
 keywords: deployment, task sequence, custom, customize
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
 
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
index f79fad1745..16a4af055b 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
 keywords: deployment, image, UEFI, task sequence
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
 
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index cad56a0160..dd501cd667 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -4,7 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
 ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
 keywords: deployment, custom, boot
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
@@ -15,9 +15,13 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
 
-If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
 
 For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 5534680f26..52181700d5 100644
--- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
 ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
 keywords: configure, deploy, upgrade
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
 
diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
index 1f778d1399..efc87d2fab 100644
--- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
 keywords: deploy, upgrade
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
 
diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 5d3fafb49e..f005cca535 100644
--- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -4,7 +4,7 @@ description: This topic will walk you through the process of integrating Microso
 ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
 keywords: install, configure, deploy, deployment
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: mtniehaus
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
 
diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index f8e6e98777..1bd55885aa 100644
--- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
 keywords: upgrade, install, installation, computer refresh
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
 
diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index a30798b35b..d77f096553 100644
--- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -5,7 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
 keywords: upgrade, install, installation, replace computer, setup
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
@@ -15,7 +15,11 @@ author: mtniehaus
 
 **Applies to**
 
--   Windows 10
+-   Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). 
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
 
 In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
 
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
new file mode 100644
index 0000000000..aa4243f2cf
--- /dev/null
+++ b/windows/deployment/deploy.md
@@ -0,0 +1,34 @@
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: high
+author: greg-lindsay
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/images/al01.png b/windows/deployment/images/al01.png
new file mode 100644
index 0000000000..b779b59ac9
Binary files /dev/null and b/windows/deployment/images/al01.png differ
diff --git a/windows/deployment/images/al02.png b/windows/deployment/images/al02.png
new file mode 100644
index 0000000000..6d2216a377
Binary files /dev/null and b/windows/deployment/images/al02.png differ
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 6b815392d2..7d139ec69e 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -1,42 +1,46 @@
 ---
-title: Deploy Windows 10 (Windows 10)
-description: Learn about deploying Windows 10 for IT professionals.
+title: Deploy and update Windows 10 (Windows 10)
+description: Deploying and updating Windows 10 for IT professionals.
 ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: greg-lindsay
 ---
 
-# Deploy, Upgrade and Update Windows 10
-Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10.
+# Deploy and update Windows 10
 
-## In this section
+Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. The following sections and topics are available.
 
-
-### Deploy Windows 10
 |Topic |Description |
 |------|------------|
 |[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
-|[Plan for Windows 10 deployment](planning/index.md) | This topic provides information about Windows 10 deployment considerations. It also provides details to assist in Windows 10 deployment planning. |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-
-### Upgrade to Windows 10
-|Topic |Description |
-|------|------------|
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
+|[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
 |[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
 
-### Update Windows 10
+
+## Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
+
+|Topic |Description |
+|------|------------|
+|[Overview of Windows AutoPilot](windows-10-auto-pilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+
+## Update Windows 10
+
+Information is provided about keeping Windows 10 up-to-date.
+
 |Topic |Description |
 |------|------------|
 | [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
@@ -54,14 +58,11 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
 | [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
 | [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
 
-### Additional topics
+## Additional topics
+
 |Topic |Description |
 |------|------------|
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. |
-|[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). |
+|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
 
  
 
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 1cc9702d45..c87802238e 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # MBR2GPT.EXE
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
index ec9afa1603..a86caa380f 100644
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
@@ -75,7 +75,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 ## Related topics
 
 
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10.md)
+[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
 
 [Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
 
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 2448b16d8b..dc4c8029ca 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, configure
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 author: TrudyHa
 ---
 
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 2ce0b1abdd..9768a7c1f6 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -6,7 +6,7 @@ keywords: deploy, upgrade, update, appcompat
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: appcompat
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 9ddd7ab954..a9cee6bc13 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -4,7 +4,7 @@ description: There are new deployment options in Windows 10 that help you simpl
 ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
 keywords: deploy, upgrade, update, in-place
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: plan
 ms.sitesec: library
 author: mtniehaus
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 60a48fef2f..69ba2f2170 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -4,7 +4,7 @@ description: Get answers to common questions around compatibility, installation,
 keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools
 ms.prod: w10
 ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: 
 ---
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index f886d6391f..a99af27a4e 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -5,7 +5,7 @@ ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
 keywords: deploy, upgrade, update, hardware
 ms.prod: w10
 ms.mktglfcycl: plan
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index 3af0220b18..8051af1421 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
 ms.author: daniha
-ms.date: 05/16/2017
+ms.date: 07/27/2017
 ---
 
 # Change history for Update Windows 10
@@ -15,6 +15,10 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
 
 >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
 
+## July 2017
+
+All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes).
+
 ## May 2017
 
 | New or changed topic | Description |
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
new file mode 100644
index 0000000000..eaf38c75d5
--- /dev/null
+++ b/windows/deployment/update/device-health-get-started.md
@@ -0,0 +1,180 @@
+---
+title: Get started with Device Health
+description: Configure Device Health in OMS to see statistics on frequency and causes of crashes of devices in your network.
+keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Get started with Device Health
+
+This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health. 
+
+Steps are provided in sections that follow the recommended setup process:
+1.	Ensure that [prerequisites](#device-health-prerequisites) are met.
+2.	[Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3.	[Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices and set the telemetry level) to your organization’s devices.
+
+## Device Health prerequisites
+
+Device Health has the following requirements: 
+1. Device Health is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 
+2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 
+3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
+
+>[!NOTE]  
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization) for steps to exclude authentication for these endpoints.
+
+
+## Add Device Health to Microsoft Operations Management Suite
+
+Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
+
+**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace.
+
+**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
+
+1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+   [![](images/uc-02a.png)](images/uc-02.png)
+
+
+2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+   [![](images/uc-03a.png)](images/uc-03.png)
+
+
+3.	Create a new OMS workspace.
+
+     [![](images/uc-04a.png)](images/uc-04.png)
+
+4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+
+    [![](images/uc-05a.png)](images/uc-05.png)
+
+5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+
+    [![](images/uc-06a.png)](images/uc-06.png)
+
+6.	To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. 
+
+    [![](images/uc-08a.png)](images/uc-08.png)
+
+7.	Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens.
+
+    [![](images/uc-09a.png)](images/uc-09.png)
+
+
+
+After you have added Device Health and devices have a Commercial ID, you will begin receiving data. It will typically take 24-48 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
+
+>[!NOTE]
+>You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
+
+## Deploy your Commercial ID to your Windows 10 devices and set the telemetry level
+
+In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). 
+
+- Using Group Policy<BR><BR>
+    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
+    1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
+    2. Double-click **Configure the Commercial ID**
+    3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
+
+- Using Microsoft Mobile Device Management (MDM)<BR><BR>
+Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).  
+
+## Perform checks to ensure and verify successful deployment
+
+While you're waiting for the initial data to populate, there are some configuration details it's worth confirming to ensure that the necessary data connections are set up properly.
+
+### Check for disabled Windows Error Reporting (WER)
+ 
+If WER is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health. 
+
+Check these Registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
+
+- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+ 
+If you need further information on Windows Error Reporting (WER) settings, see [WER Settings](https://msdn.microsoft.com/library/windows/desktop/bb513638(v=vs.85).aspx).
+ 
+
+### Endpoint connectivity
+
+Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic. 
+
+>[!NOTE]  
+> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about telemetry endpoints and how to manage them, see [Configure Windows telemetry in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization).
+
+If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
+
+Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required).
+
+To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*: 
+
+```powershell
+
+$endPoints = @(
+        'v10.vortex-win.data.microsoft.com'
+        'settings-win.data.microsoft.com'
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'vortex.data.microsoft.com'
+    )
+
+$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+
+```
+
+If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
+
+```powershell
+
+[scriptblock]$accessTest = {
+    $endPoints = @(
+        'v10.vortex-win.data.microsoft.com'
+        'settings-win.data.microsoft.com'
+        'watson.telemetry.microsoft.com'
+        'oca.telemetry.microsoft.com'
+        'vortex.data.microsoft.com'
+    )
+
+    $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+}
+
+$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
+$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
+$accessTest.ToString() > $scriptFullPath
+$null > $outputFileFullPath
+$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`"" 
+$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
+$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
+Start-Sleep -Seconds 120
+Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
+Get-Content $outputFileFullPath
+
+```
+
+As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+
+
+
+
+
+
+
+## Related topics
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)<BR>
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md
new file mode 100644
index 0000000000..f620c80953
--- /dev/null
+++ b/windows/deployment/update/device-health-monitor.md
@@ -0,0 +1,65 @@
+---
+title: Monitor the health of devices with Device Health
+description: You can use Device Health in OMS to monitor the frequency and causes of crashes and misbehaving apps on devices in your network.
+keywords: oms, operations management suite, wdav, health, log analytics
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Monitor the health of devices with Device Health
+
+## Introduction
+
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity.
+
+Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This preview release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+
+Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health (preview) from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced telemetry, so you might need to implement this policy if you've not already done so.
+
+
+Device Health provides the following:
+
+- Identification of devices that crash frequently, and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+- No need for new complex customized infrastructure, thanks to cloud-connected access using Windows 10 telemetry
+
+See the following topics in this guide for detailed information about configuring and using the Device Health solution:
+
+- [Get started with Device Health](device-health-get-started.md): How to add Device Health to your environment.
+- [Using Device Health](device-health-using.md): How to begin using Device Health.
+
+An overview of the processes used by the Device Health solution is provided below.
+
+## Device Health architecture
+ 
+The Device Health architecture and data flow is summarized by the following five-step process:
+
+
+
+**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
+**(2)** Telemetry data is analyzed by the Microsoft Telemetry Service.<BR>
+**(3)** Telemetry data is pushed from the Microsoft Telemetry Service to your OMS workspace.<BR>
+**(4)** Telemetry data is available in the Device Health solution.<BR>
+**(5)** You are now able to proactively monitor Device Health issues in your environment.<BR>
+
+These steps are illustrated in following diagram:
+
+ [![](images/analytics-architecture.png)](images/analytics-architecture.png)
+
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
+
+
+
+ 
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)
+
+[Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
new file mode 100644
index 0000000000..9fa09d1431
--- /dev/null
+++ b/windows/deployment/update/device-health-using.md
@@ -0,0 +1,170 @@
+---
+title: Using Device Health
+description: Explains how to begin usihg Device Health.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: jaimeo
+---
+
+# Using Device Health
+
+This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash.
+
+
+Device Health provides IT Pros with reports on some common problems that users might experience so that they can be proactively remediated. This decreases support calls and improves productivity.
+
+Device Health provides the following benefits:
+
+- Identification of devices that crash frequently and therefore might need to be rebuilt or replaced
+- Identification of device drivers that are causing device crashes, with suggestions of alternative versions of those drivers that might reduce the number of crashes
+- Notification of Windows Information Protection misconfigurations that send prompts to end users
+
+
+>[!NOTE]
+>Information is refreshed daily so that health status can be monitored. Changes will be displayed about 24-48 hours after their occurrence, so you always have a recent snapshot of your devices.
+
+In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. 
+
+
+## Device Reliability
+
+- [Frequently Crashing Devices](#frequently-crashing-devices)
+- [Driver-Induced OS Crashes](#driver--induced-OS-crashes)
+
+
+
+### Frequently Crashing Devices
+
+This middle blade in Device Reliability displays the devices that have crashed the most often in the last week. This can help you identify unhealthy devices that might need to be rebuilt or replaced.
+
+See the following example: 
+
+
+![The blade in the middle summarizes devices that crash most often](images/dev-health-main-tile-sterile.png)
+
+Clicking the header of the Frequently Crashing Devices blade opens a reliability perspective view, where you can filter data (by using filters in the left pane), see trends, and compare to commercial averages:
+
+![Reliability perspective](images/device-reliability2-sterile.png)
+
+"Commercial averages" here refers to data collected from deployments with a mix of operating system versions and device models that is similar to yours. If your crash rate is higher, there are opportunities for improvement, for example by moving to newer driver versions.
+
+Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter. 
+
+>[!NOTE]
+>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate.
+
+>[!TIP]
+>Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.”
+
+
+If you click through a particular device from the view blade or from the Device Reliability perspective, it will take you to the Crash History perspective for that device.
+
+![Device detail and history](images/device-crash-history2-sterile.png)
+
+This displays device records sorted by date and crash details by failure ID, also sorted by date. In this view are a number of useful items:
+
+- Crash history records by date, aggregated  by Failure ID. The Failure ID is an internal number that is used to group crashes that are related to each other. Eventually over time, you can use the Failure ID to provide additional info. If a crash was caused by driver, some driver fields will also be populated.
+
+- StopCode: this is hex value that would be displayed on a bluescreen if you were looking directly at the affected device.
+
+- Count: the number times that particular Failure ID has occurred on that specific device *on that date*.
+
+
+ 
+ 
+### Driver-Induced OS Crashes
+
+This blade (on the right) displays drivers that have caused the most devices to crash in the last two weeks. If your crash rate is high, you can reduce the overall operating system crashes in your deployment by upgrading those drivers with a high crash rate.
+
+
+![The blade on the right summarizes devices that crash most often](images/dev-health-main-tile-sterile.png)
+
+Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver perspective view, which shows the details for the responsible driver, trends and commercial averages for that driver, and alternative versions of the driver.
+
+![Driver detail and history](images/driver-detail-1-sterile.png)
+![Driver detail and history scrolldown](images/driver-detail-2-sterile.png)
+
+The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
+
+
+
+
+
+## Windows Information Protection
+
+
+Windows Information Protection (WIP) helps protect work data from accidental sharing. Users might be disrupted if WIP rules are not aligned with real work behavior. WIP App Learning shows which apps on which computers are attempting to cross policy boundaries.
+
+For details about deploying WIP policies, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules, for example by confirming that certain apps are allowed or disallowed by current policy.
+
+
+![Main Windows Information Protection view](images/WIPNEWMAIN-sterile.png)
+
+
+Clicking through the **APP LEARNING** tile shows details of app statistics that you can use to explore each incident and update app policies by using AppLocker or WIP AppIDs.
+
+![WIP details view](images/WIPNEW1-chart-selected-sterile.png)
+
+In this chart view, you can click a particular app listing, which will open additional details on the app in question, including details you need to adjust your Windows Information Protection Policy:
+
+![WIP details view for a specific app](images/WIPappID-sterile.png)
+
+Here you can copy the WipAppid and use that for adjusting the WIP policy.
+
+## Data model and OMS built-in extensibility
+
+All of the views and blades display slices of the most useful data by using pre-formed queries. You have access to the full set of data collected by Device Health, which means you can construct your own queries to expose any data that is of interest to you. For documentation on working with log searches, see [Find data using log searches](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). This topic section provides information about the data types being populated specifically by Device Health.
+
+### Example queries
+
+You can run these queries from the OMS **Log Search** interface (available at several points in the Device Health interface) by just typing them in. There are few details to be aware of:
+
+- After running a query, make sure to set the date range (which appears upper left after running initial query) to "7 days" to ensure you get data back.
+- If you see the search tutorial dialog appearing frequently, it's likely because you are have read-only access to the OMS workspace. Ask a workspace administrator to grant you "contributor" permissions (which is required for the "completed tutorial" state to persist).
+- If you use the search filters in the left pane, you might notice there is no control to undo a filter selection. To undo a selection, delete the (FilterName="FilterValue") element that is appended to the search query and then click the search button again. For example, after you run a base query of *Type = DHOSReliability KernelModeCrashCount > 0*, a number of filter options appear on the left. If you then filter on **Manufacturer** (for example, by setting *Manufacturer="Microsoft Corporation"* and then clicking **Apply**), the query will change to *Type = DHOSReliability KernelModeCrashCount > 0 (Manufacturer="Microsoft Corporation")*. Delete *(Manufacturer="Microsoft Corporation")* and then click the **search** button again to re-run the query without that filter.
+
+### Device reliability query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Total devices|	Type = DHOSReliability \| measure countdistinct(ComputerID) by Type|
+|Number of devices that have crashed in the last three weeks|	Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels).|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table|
+|As above, but sorted by device manufacturer|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table|
+|As above, but sorted by model|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table|
+|As above, but sorted by operating system version|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table|
+|Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks|	Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart|
+|Table of devices that have crashed the most in the last two weeks|	Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table|
+|Detailed crash records, most recent first|	Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table|
+|Number of devices that crashed due to drivers|	Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type|
+|Table of drivers that have caused the most devices to crash|	Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table|
+|Trend of devices crashed by driver by day|	* Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName | top 5} \| measure countdistinct(ComputerID) as NumberDevices by DriverName interval 1day|
+|Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices|	Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table|
+|Top crashes by FailureID|	Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table|
+
+### Windows Information Protection (WIP) App Learning query examples
+
+|Data|Query|
+|-------------------|------------------------|
+|Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names)| Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName|
+|Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change| Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" | measure countdistinct(ComputerID) as ComputerCount interval 1day|
+
+### Exporting data and configuring alerts
+
+OMS enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
+
+
+
+
+## Related topics
+
+[Get started with Device Health](device-health-get-started.md)<BR>
+
+For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics)
\ No newline at end of file
diff --git a/windows/deployment/update/images/WIP-detail.png b/windows/deployment/update/images/WIP-detail.png
new file mode 100644
index 0000000000..96b0a90280
Binary files /dev/null and b/windows/deployment/update/images/WIP-detail.png differ
diff --git a/windows/deployment/update/images/WIP.png b/windows/deployment/update/images/WIP.png
new file mode 100644
index 0000000000..ee7f30c014
Binary files /dev/null and b/windows/deployment/update/images/WIP.png differ
diff --git a/windows/deployment/update/images/WIP2-sterile.png b/windows/deployment/update/images/WIP2-sterile.png
new file mode 100644
index 0000000000..7cc35cde75
Binary files /dev/null and b/windows/deployment/update/images/WIP2-sterile.png differ
diff --git a/windows/deployment/update/images/WIP2.PNG b/windows/deployment/update/images/WIP2.PNG
new file mode 100644
index 0000000000..87255177e0
Binary files /dev/null and b/windows/deployment/update/images/WIP2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png
new file mode 100644
index 0000000000..eb2cabdcfd
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW1.PNG b/windows/deployment/update/images/WIPNEW1.PNG
new file mode 100644
index 0000000000..29e14d5411
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW1.PNG differ
diff --git a/windows/deployment/update/images/WIPNEW2-sterile.png b/windows/deployment/update/images/WIPNEW2-sterile.png
new file mode 100644
index 0000000000..1ee1148c8f
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEW2.PNG b/windows/deployment/update/images/WIPNEW2.PNG
new file mode 100644
index 0000000000..af7a8c84b7
Binary files /dev/null and b/windows/deployment/update/images/WIPNEW2.PNG differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png
new file mode 100644
index 0000000000..5efc5250c1
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN-sterile.png differ
diff --git a/windows/deployment/update/images/WIPNEWMAIN.PNG b/windows/deployment/update/images/WIPNEWMAIN.PNG
new file mode 100644
index 0000000000..b56da2b409
Binary files /dev/null and b/windows/deployment/update/images/WIPNEWMAIN.PNG differ
diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png
new file mode 100644
index 0000000000..43bad68ed0
Binary files /dev/null and b/windows/deployment/update/images/WIPappID-sterile.png differ
diff --git a/windows/deployment/update/images/WIPappID.PNG b/windows/deployment/update/images/WIPappID.PNG
new file mode 100644
index 0000000000..49ea2bc99c
Binary files /dev/null and b/windows/deployment/update/images/WIPappID.PNG differ
diff --git a/windows/deployment/update/images/WIPmain.PNG b/windows/deployment/update/images/WIPmain.PNG
new file mode 100644
index 0000000000..adb905255d
Binary files /dev/null and b/windows/deployment/update/images/WIPmain.PNG differ
diff --git a/windows/deployment/update/images/analytics-architecture.png b/windows/deployment/update/images/analytics-architecture.png
new file mode 100644
index 0000000000..1b537c1c9b
Binary files /dev/null and b/windows/deployment/update/images/analytics-architecture.png differ
diff --git a/windows/deployment/update/images/app-detail.png b/windows/deployment/update/images/app-detail.png
new file mode 100644
index 0000000000..c06ced4864
Binary files /dev/null and b/windows/deployment/update/images/app-detail.png differ
diff --git a/windows/deployment/update/images/app-health-dashboard.png b/windows/deployment/update/images/app-health-dashboard.png
new file mode 100644
index 0000000000..d8daee44ed
Binary files /dev/null and b/windows/deployment/update/images/app-health-dashboard.png differ
diff --git a/windows/deployment/update/images/crash-hang-detail.png b/windows/deployment/update/images/crash-hang-detail.png
new file mode 100644
index 0000000000..3a6447329c
Binary files /dev/null and b/windows/deployment/update/images/crash-hang-detail.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png
new file mode 100644
index 0000000000..1619d8bf70
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile-sterile.png differ
diff --git a/windows/deployment/update/images/dev-health-main-tile.png b/windows/deployment/update/images/dev-health-main-tile.png
new file mode 100644
index 0000000000..850b558512
Binary files /dev/null and b/windows/deployment/update/images/dev-health-main-tile.png differ
diff --git a/windows/deployment/update/images/device-crash-history.png b/windows/deployment/update/images/device-crash-history.png
new file mode 100644
index 0000000000..69f98f1d67
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history.png differ
diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png
new file mode 100644
index 0000000000..18056ed801
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2-sterile.png differ
diff --git a/windows/deployment/update/images/device-crash-history2.PNG b/windows/deployment/update/images/device-crash-history2.PNG
new file mode 100644
index 0000000000..646afb4091
Binary files /dev/null and b/windows/deployment/update/images/device-crash-history2.PNG differ
diff --git a/windows/deployment/update/images/device-reliability.png b/windows/deployment/update/images/device-reliability.png
new file mode 100644
index 0000000000..af8bb1d247
Binary files /dev/null and b/windows/deployment/update/images/device-reliability.png differ
diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png
new file mode 100644
index 0000000000..28fbf3725b
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2-sterile.png differ
diff --git a/windows/deployment/update/images/device-reliability2.PNG b/windows/deployment/update/images/device-reliability2.PNG
new file mode 100644
index 0000000000..9af6d971b0
Binary files /dev/null and b/windows/deployment/update/images/device-reliability2.PNG differ
diff --git a/windows/deployment/update/images/driver-deeper-detail.png b/windows/deployment/update/images/driver-deeper-detail.png
new file mode 100644
index 0000000000..0437e555a1
Binary files /dev/null and b/windows/deployment/update/images/driver-deeper-detail.png differ
diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png
new file mode 100644
index 0000000000..7dcd86366f
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-1.PNG b/windows/deployment/update/images/driver-detail-1.PNG
new file mode 100644
index 0000000000..deeb998493
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-1.PNG differ
diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png
new file mode 100644
index 0000000000..e5fa480c3e
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2-sterile.png differ
diff --git a/windows/deployment/update/images/driver-detail-2.PNG b/windows/deployment/update/images/driver-detail-2.PNG
new file mode 100644
index 0000000000..71f16697f5
Binary files /dev/null and b/windows/deployment/update/images/driver-detail-2.PNG differ
diff --git a/windows/deployment/update/images/driver-detail.png b/windows/deployment/update/images/driver-detail.png
new file mode 100644
index 0000000000..ab391f5adb
Binary files /dev/null and b/windows/deployment/update/images/driver-detail.png differ
diff --git a/windows/deployment/update/images/health-summary.png b/windows/deployment/update/images/health-summary.png
new file mode 100644
index 0000000000..906b0a2189
Binary files /dev/null and b/windows/deployment/update/images/health-summary.png differ
diff --git a/windows/deployment/update/images/login-health-detail-faillure.png b/windows/deployment/update/images/login-health-detail-faillure.png
new file mode 100644
index 0000000000..10b59a01d0
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail-faillure.png differ
diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png
new file mode 100644
index 0000000000..2d3871fc42
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail.png differ
diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png
new file mode 100644
index 0000000000..fd4f6740bd
Binary files /dev/null and b/windows/deployment/update/images/login-health.png differ
diff --git a/windows/deployment/update/images/reliability-perspective.png b/windows/deployment/update/images/reliability-perspective.png
new file mode 100644
index 0000000000..58e812dafa
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective.png differ
diff --git a/windows/deployment/update/images/reliability-perspective2.PNG b/windows/deployment/update/images/reliability-perspective2.PNG
new file mode 100644
index 0000000000..978cacc4f5
Binary files /dev/null and b/windows/deployment/update/images/reliability-perspective2.PNG differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 4d6601fda8..01404a9781 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index e284dc274b..98db5c9f8c 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure BranchCache for Windows 10 updates
@@ -53,7 +54,7 @@ In addition to these steps, there is one requirement for WSUS to be able to use
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index b41a060c96..d71fba917a 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure Windows Update for Business
@@ -19,6 +20,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
 
 >[!IMPORTANT]
@@ -36,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl
 <span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
 ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
 
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches). 
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
 
 **Release branch policies**
 
@@ -257,7 +263,7 @@ In the Windows Update for Business policies in version 1511, all the deferral ru
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index e15cd39494..2b77126ecf 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Configure Delivery Optimization for Windows 10 updates
@@ -204,7 +205,7 @@ On devices that are not preferred, you can choose to set the following policy to
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
 - [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index f8a51fb650..224da4899d 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Build deployment rings for Windows 10 updates
@@ -29,35 +30,30 @@ Table 1 provides an example of the deployment rings you might use.
 
 **Table 1**
 
-| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release |
-| --- | --- | --- |
-| Preview | Windows Insider | Pre-CB |
-| Ring 1 Pilot IT | CB | CB + 0 weeks |
-| Ring 2 Pilot business users | CB | CB + 4 weeks |
-| Ring 3 Broad IT | CB | CB + 6 weeks |
-| Ring 4 Broad business users | CBB | CBB + 0 weeks |
-| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints |
+| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
+| --- | --- | --- | --- | --- |
+| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
+| Targeted | Semi-annual channel (Targeted) | None | None | Select devices across various teams used to evaluate the major release prior to broad deployment |
+| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedback</br>Pause updates if there are critical issues |
+| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
 
 >[!NOTE]
->In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates. 
+>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC servicing channel does not receive feature updates. 
 >
->Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
+>Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insider devices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
 
 
-As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. 
-
-![illustration of rings](images/waas-rings.png)
-
+As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense. 
 
 
 ## Steps to manage updates for Windows 10
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 294a8ed333..24c89c24be 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Integrate Windows Update for Business with management solutions
@@ -97,7 +98,7 @@ For Windows 10, version 1607, organizations already managing their systems with
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
index 13e614dbf4..0fdb3289c7 100644
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Deploy Windows 10 updates using System Center Configuration Manager
@@ -17,7 +18,12 @@ ms.author: daniha
 - Windows 10
 - Windows 10 Mobile
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
 
 System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
 
@@ -292,10 +298,10 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or Deploy Windows 10 updates using System Center Configuration Manager (this topic) |
 
@@ -310,7 +316,7 @@ With the task sequence created, you’re ready to deploy it. If you’re using t
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index f9cc0b2feb..765051754a 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -18,6 +18,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
+
 WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
 
 When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. 
@@ -322,10 +327,10 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -337,7 +342,7 @@ Now that you have the All Windows 10 Upgrades view, complete the following steps
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2c33b3ad01..7391b7bb5e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -19,6 +19,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
+
 Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.  
 
 Specifically, Windows Update for Business allows for: 
@@ -75,7 +80,7 @@ The pause period is now calculated starting from the set start date. For additio
 Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.   
 
 >[!NOTE]
->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-branches).
+>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
 
 <table>
     <thead>
@@ -102,10 +107,10 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -114,7 +119,7 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index 35ed31ba72..9234f54996 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -20,14 +20,19 @@ ms.author: daniha
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
 
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
+Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
 
 [Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
 
 </br>
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 | Windows 10 edition | CB | CBB | Insider Program |
 | --- | --- | --- | --- | --- |
 | Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
@@ -68,7 +73,7 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) 
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index f6ff84324d..899f98788b 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -47,7 +47,10 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 
 ## Express update delivery
 
-Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+
+>[!NOTE]
+>Currently, Express update delivery only applies to quality update downloads.
 
 ### How Microsoft supports Express
 - **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update.
@@ -83,10 +86,10 @@ At this point, the download is complete and the update is ready to be installed.
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index b1034016b5..fac84472ae 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Overview of Windows as a service
@@ -22,7 +23,7 @@ ms.author: daniha
 
 The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. 
 
-<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
+<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/qSAsiM01GOU" frameborder="0" allowfullscreen></iframe>
 
 ## Building
 
@@ -56,11 +57,22 @@ Device compatibility in Windows 10 is also very strong; new hardware is not need
 
 Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality twice per year, and quality updates that provide security and reliability fixes at least once a month. 
 
-With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+With Windows 10, organizations will need to change the way they approach deploying updates. Servicing channels are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing channels comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing channel to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing channels and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
 
 For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
 
-To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
+To align with this new update delivery model, Windows 10 has three servicing channels, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing channels available in Windows 10, see [Servicing channels](#servicing-channels).
+
+### Naming changes
+
+As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
+* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". 
+* Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
+
+>[!NOTE]
+>For additional information, see the section about [Servicing Channels](#servicing-channels). 
+>
+>You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. 
 
 
 ### Feature updates
@@ -72,9 +84,9 @@ With Windows 10, Microsoft will package new features into feature updates that c
 
 ### Quality updates
 
-Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
+Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
 
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
 
 **Figure 1**
 
@@ -82,60 +94,58 @@ In Windows 10, rather than receiving several updates each month and trying to fi
 
 
 
-## Servicing branches 
+## Servicing channels 
 
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. 
 
-The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
+With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
+
+The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
 
 >[!NOTE]
->Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
+>Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). 
 
+### Semi-Annual Channel
 
-### Current Branch
+In the Semi-Annual servicing channel, feature updates are available as soon as Microsoft releases them. Windows 10, version 1511, had few servicing tool options to delay feature updates, limiting the use of the Semi-Annual servicing channel. Windows 10, version 1607 and onward, includes more servicing tools that can delay feature updates for up to 365 days. This servicing modal is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
+Once the latest release went through pilot deployment and testing, you choose the timing at which it goes into broad deployment.
 
-In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
-
-When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-
-
- ### Current Branch for Business
-
-Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Each feature update release will be supported and updated for 18 months from the time of its release.
+When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
 
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
 
 >[!NOTE]
->Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
+>Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
 
-Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—it’s considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesn’t need delayed updates, it’s simple to change it back. 
+### Long-term Servicing Channel
 
-### Long-term Servicing Branch
-
-Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
+Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
 
 >[!NOTE]
->LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices.  As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
+>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+>
+>Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices.  As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
 
-Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
+Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
 
 >[!NOTE]
 >Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
 
-LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSB model primarily for specialized devices. Since Windows Store client is not available in Windows 10 Enterprise LTSB, if you need to run a Windows Store app, you should not use Windows 10 LTSB on that device.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices.
 
 >[!NOTE]
->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
+>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
 
 ### Windows Insider
 
-For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. 
+For many IT pros, gaining visibility into feature updates early—before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next Semi-Annual Channel release. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
 
 Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md).
 
 >[!NOTE]
 >Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. 
 >
->The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. 
+>The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. 
 
 
 
@@ -143,8 +153,8 @@ Microsoft recommends that all organizations have at least a few PCs enrolled in
 
 There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
 
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
-- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
+- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes control over update deferment and provides centralized management using Group Policy. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the Semi-Annual Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
 - **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. 
 - **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
 
@@ -159,16 +169,19 @@ With all these options, which an organization chooses depends on the resources,
 | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
 | Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
 
+>[!NOTE]
+>Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+
 </br>
 
 ## Steps to manage updates for Windows 10
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | Learn about updates and servicing branches (this topic) |
+| ![done](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
 | ![to do](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
@@ -185,12 +198,4 @@ With all these options, which an organization chooses depends on the resources,
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
-
-
-
-
-
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 3a5f929896..8b85bf57aa 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
 # Quick guide to Windows as a service
@@ -26,20 +27,22 @@ Some new terms have been introduced as part of Windows as a service, so you shou
 - **Feature updates** will be released twice per year, around March and September.  As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
 - **Quality updates** are released monthly, delivering both security and non-security fixes.  These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
-- **Servicing channels** allow organizations to choose when to deploy new features.  The Semi-Annual Channel receives feature updates twice per year.  The Long Term Servicing Channel, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
+- **Servicing channels** allow organizations to choose when to deploy new features. 
+    - The **Semi-Annual Channel** receives feature updates twice per year. 
+    - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases about every three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.  
 
 See [Overview of Windows as a service](waas-overview.md) for more information.
 
 ## Key Concepts
 
-Windows 10 gains new functionality with twice-per-year feature update releases.  Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure.  After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin.  The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
+Windows 10 gains new functionality with twice-per-year feature update releases.  Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure.  After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers.
 
 Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release. 
 
 Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version.  Each release is supported for a total of 10 years (five years standard support, five years extended support).  New releases are expected about every three years.
 
-See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
+See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
 
 ## Staying up to date
 
@@ -55,7 +58,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
 
 ## Video: An overview of Windows as a service
 
-<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe> 
+<iframe width="560" height="315" src="https://www.youtube.com/embed/qSAsiM01GOU" frameborder="0" allowfullscreen></iframe> 
  
 ## Learn more
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 1c88ea8fb5..807d2f4a3d 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -5,8 +5,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/05/2017
 ---
 
 # Manage device restarts after updates
@@ -25,24 +26,24 @@ You can use Group Policy settings, mobile device management (MDM) or Registry (n
 
 In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time. 
 
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
 
 **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
 
 While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 ## Delay automatic reboot
 
-When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
+When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
 
 - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
 - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. 
 
 You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 ## Configure active hours
 
@@ -56,7 +57,7 @@ Administrators can use multiple ways to set active hours for managed devices:
 
 - You can use Group Policy, as described in the procedure that follows.
 - You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
-- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
 
 ### Configuring active hours with Group Policy
 
@@ -76,7 +77,7 @@ Any settings configured through Registry may conflict with any existing configur
 You should set a combination of the following registry values, in order to configure active hours.
 Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
 
-For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
+For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
 
 >[!NOTE]
 >To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
@@ -93,7 +94,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
 
 ## Limit restart delays
 
-After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
 
 ## Control restart notifications
 
@@ -122,7 +123,7 @@ To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https:/
 
 ### Scheduled auto-restart warnings
 
-Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled a restart. You can also configure a configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
 
 To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
 
@@ -130,10 +131,10 @@ In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarnin
 
 ### Engaged restart
 
-Engaged restart is the period of time when users are required to schedule a restart. When this period ends (7 days by default), Windows transitions to auto-restart outside of active hours.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
 
 The following settings can be adjusted for engaged restart:
-* Period of time before engaged restart transitions to auto-restart.
+* Period of time before auto-restart transitions to engaged restart.
 * The number of days that users can snooze engaged restart reminder notifications.
 * The number of days before a pending restart automatically executes outside of working hours.
 
@@ -184,7 +185,7 @@ The following tables list registry values that correspond to the Group Policy se
 There are 3 different registry combinations for controlling restart behavior:
 
 - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
 - To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
similarity index 75%
rename from windows/deployment/update/waas-servicing-branches-windows-10-updates.md
rename to windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 43aade46a5..dd5cbaf8b7 100644
--- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,15 +1,16 @@
 ---
-title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
+title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
+ms.date: 07/27/2017
 ---
 
-# Assign devices to servicing branches for Windows 10 updates
+# Assign devices to servicing channels for Windows 10 updates
 
 
 **Applies to**
@@ -20,11 +21,13 @@ ms.author: daniha
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!TIP]
->If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
+>If you're not familiar with the Windows 10 servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first.
+>
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
 
-Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10. 
+Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10. 
 
-| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
+| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- | --- |
 | Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
 | Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
@@ -40,7 +43,12 @@ Current Branch is the default servicing branch for all Windows 10 devices except
 >[!NOTE]
 >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
-## Assign devices to Current Branch for Business
+## Assign devices to Semi-Annual Channel
+
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
 
 **To assign a single PC locally to CBB**
 
@@ -96,7 +104,7 @@ Enrolling devices in the Windows Insider Program is simple and requires only a M
 After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. 
 
 The options for Insider level are:
-- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for Semi-Annual Channel. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
 - **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
 - **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality. 
 
@@ -110,9 +118,9 @@ To prevent devices in your enterprise from being enrolled in the Insider Program
 - Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
 - MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
 
-## Switching branches
+## Switching channels
 
-During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+During the life of a device, it may be necessary or desirable to switch between the available channels. Depending on the channel you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
 
 <table>
 <colgroup>
@@ -122,63 +130,63 @@ During the life of a device, it may be necessary or desirable to switch between
 </colgroup>
 <thead>
 <tr class="header">
-<th align="left">From this branch</th>
-<th align="left">To this branch</th>
+<th align="left">From this channel</th>
+<th align="left">To this channel</th>
 <th align="left">You need to</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left" rowspan="3">Windows Insider Program</td>
-<td align="left">Current Branch</td>
-<td align="left">Wait for the final Current Branch release.</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Wait for the final Semi-Annual Channel release.</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch for Business</td>
-<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Semi-Annual Channel (Targeted) release at the end of the development cycle.</td>
 </tr>
 <tr class="odd">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="even">
-<td align="left" rowspan="3">Current Branch</td>
+<td align="left" rowspan="3">Semi-Annual Channel (Targeted)</td>
 <td align="left">Insider</td>
 <td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
 </tr>
 <tr class="odd">
-<td align="left">Current Branch for Business</td>
-<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.</td>
+<td align="left">Semi-Annual Channel</td>
+<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Semi-Annual Channel release.</td>
 </tr>
 <tr class="even">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="odd">
-<td align="left" rowspan="3">Current Branch for Business</td>
+<td align="left" rowspan="3">Semi-Annual Channel</td>
 <td align="left">Insider</td>
 <td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch</td>
-<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Branch release.</td>
+<td align="left">Semi-Annual Channel (Targeted)</td>
+<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Semi-Annual Channel release.</td>
 </tr>
 <tr class="odd">
-<td align="left">Long-Term Servicing Branch</td>
+<td align="left">Long-Term Servicing Channel</td>
 <td align="left">Not directly possible (requires wipe-and-load).</td>
 </tr>
 <tr class="even">
-<td align="left" rowspan="3">Long-Term Servicing Branch</td>
+<td align="left" rowspan="3">Long-Term Servicing Channel</td>
 <td align="left">Insider</td>
 <td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
 </tr>
 <tr class="odd">
-<td align="left">Current Branch</td>
-<td align="left">Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)</td>
+<td align="left">Long-Term Servicing Channel (Targeted)</td>
+<td align="left">Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.)</td>
 </tr>
 <tr class="even">
-<td align="left">Current Branch for Business</td>
-<td align="left">Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.</td>
+<td align="left">Long-Term Servicing Channel</td>
+<td align="left">Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build.</td>
 </tr>
 </tbody>
 </table>
@@ -195,10 +203,10 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
 | ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Assign devices to servicing branches for Windows 10 updates (this topic) |
+| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index a53ddfc63c..c6cd1ca434 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -27,19 +27,21 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
-- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
-- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
+- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-annual Channel. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
 - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). 
 
 >[!NOTE]
 >This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
+>
+>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
 
 Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 
 1.	**Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2.	**Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. 
+2.	**Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it. 
 3.	**Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department. 
 
 
@@ -47,10 +49,10 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing branches](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
 | ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
 | ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
 | ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) |
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md
index 9b9ebc28ce..9f3bfed774 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-aad.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-aad.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md
index 4ad1cd7e3f..7115a9f6d5 100644
--- a/windows/deployment/update/waas-windows-insider-for-business-faq.md
+++ b/windows/deployment/update/waas-windows-insider-for-business-faq.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md
index 4a57a47307..333ee70f35 100644
--- a/windows/deployment/update/waas-windows-insider-for-business.md
+++ b/windows/deployment/update/waas-windows-insider-for-business.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 006e2e91e3..8e83c58fd6 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ms.date: 05/16/2017
 ---
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 5833d568ae..139a173b93 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -18,6 +18,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. 
 
 In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
@@ -339,7 +344,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 8375a45ceb..5faa58e16a 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: DaniHalfin
-localizationpriority: high
+ms.localizationpriority: high
 ms.author: daniha
 ---
 
@@ -19,6 +19,11 @@ ms.author: daniha
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
+>[!IMPORTANT]
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>
+>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+
 You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. 
 
 Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
@@ -262,7 +267,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 - [Overview of Windows as a service](waas-overview.md)
 - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
 - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
 - [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 7df51a183e..81aed1c722 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Resolve Windows 10 upgrade errors : Technical information for IT Pros
@@ -686,9 +686,13 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
 <TR><TD style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
 
-[Analyze log files](#analyze-log-files) in order to determine the files that are blocking data migration. 
+[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration. 
 
-Note: This error can occur if Active Directory integrated user accounts exist on the computer, but these accounts are no longer present in Active Directory. To repair this error, delete the invalid accounts from the **Users** directory on the local computer and restart the upgrade process.
+This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. 
+
+Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory.
+
+To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files.  
 
 </TABLE>
 </TD>
diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index fa59c94780..c3ef73e060 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -13,11 +13,11 @@ author: greg-lindsay
 To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
 
 >[!IMPORTANT]
->Upgrade Readiness was previously called Upgrade Analytics.  References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
+>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution.
 
 For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
 
-> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Readiness deployment script does the following:
 
@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
 
 To run the Upgrade Readiness deployment script:
 
-1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 
@@ -66,7 +66,7 @@ To run the Upgrade Readiness deployment script:
     \*vortex\*.data.microsoft.com<BR>
     \*settings\*.data.microsoft.com
 
-5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 
@@ -81,7 +81,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>1 - Unexpected error occurred while executiEng the script.</td>
-        <td> The files in the deployment script are likely corrupted.  Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
+        <td> The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.</td>
     </tr>
     <tr>
         <td>2 - Error when logging to console. $logMode = 0.<BR>(console only)</td>
@@ -132,15 +132,16 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>13 - Can’t connect to Microsoft - setting. </td>
-        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
+        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
+14 </td>
     </tr>
     <tr>
         <td>14 - Can’t connect to Microsoft - compatexchange.</td>
-        <td>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
+        <td>An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
     </tr>
     <tr>
         <td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
-        <td>This error will prevent the collected data from being sent to Upgrade Readiness.  To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
+        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
     </tr>
     <tr>
         <td>16 - The computer requires a reboot before running the script.</td>
@@ -196,10 +197,10 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>29 - Connectivity check failed for proxy authentication. </td>
-        <td>Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
+        <td>Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting.
             <BR>The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7.  
             <BR>For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). 
-            <BR>For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).</td>
+            <BR>For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).</td>
     </tr>
     <tr>
         <td>30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.</td>
@@ -209,7 +210,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. </td>
-        <td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script.  The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
+        <td>Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.</td>
     </tr>
     <tr>
         <td>32 - Appraiser version on the machine is outdated. </td>
@@ -217,7 +218,7 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>33 - **CompatTelRunner.exe** exited with an exit code </td>
-        <td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details.</td>
+        <td>**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.</td>
     </tr>
     <tr>
         <td>34 - Function **CheckProxySettings** failed with an unexpected exception. </td>
@@ -278,7 +279,49 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
 <tr>
         <td>48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.</td>
-        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace.  To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
+        <td>**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.</td>
+    </tr>
+<tr>
+        <td>50 - Diagtrack Service is not running.</td>
+        <td>Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service. </td>
+    </tr>
+<tr>
+        <td>51 - RunCensus failed with an unexpected exception.</td>
+        <td>RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. </td>
+    </tr>
+<tr>
+        <td>52 - DeviceCensus.exe not found on a Windows 10 machine.</td>
+        <td>On computers running Windows 10, the process devicecensus.exe should be present in the <windows directory>\system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. </td>
+    </tr>
+<tr>
+        <td>53 - There is a different CommercialID present at the GPO path:  "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection". This will take precedence over the CommercialID provided in the script.</td>
+        <td>Provide the correct CommercialID at the GPO location. </td>
     </tr>
 </table>
 
+>[!NOTE]
+>**Additional steps to follow if you receive exit code 33**
+
+>Check the exit code for any of these messages:
+>
+>- CompatTelRunner.exe exited with last error code: 0x800703F1 
+>- CompatTelRunner.exe exited with last error code: 0x80070005 
+>- CompatTelRunner.exe exited with last error code: 0x80080005
+> 
+>
+>If the exit code includes any of those messages, then run these commands from an elevated command prompt:
+>
+>1. Net stop diagtrack
+>2. Net stop pcasvc
+>3. Net stop dps
+>4. Del %windir%\appcompat\programs\amcache.hve
+>5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f
+>6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f
+>7. Net start diagtrack
+>8. Net start pcasvc
+>9. Net start dps
+>
+>Then run the Enterprise Config script (RunConfig.bat) again. 
+>
+>If the script still fails, then send mail to **uasupport@microsoft.com** including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **<system drive>\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well.
+
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index eb98ebd2cf..687130e800 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -30,7 +30,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
 The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed.  You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). 
 
-Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness.  See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-branch) to understand more about LTSB.
+Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness.  See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB.
 
 ## Operations Management Suite
 
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index 16a4afb7a6..f0e227a621 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -4,7 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
 ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 ms.mktglfcycl: deploy
 author: mtniehaus
 ---
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 1f11512559..85e7a02389 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -5,7 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: mtniehaus
diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
index 311e03efba..1a3d373bbe 100644
--- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md
@@ -4,7 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
 keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: Jamiejdt
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 3fb9bda5d9..e98e9e3167 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -4,7 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
 ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mobile
 author: greg-lindsay
@@ -21,8 +21,8 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano
 The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. 
 
 X = unsupported <BR>
-✔ (green) = supported; reboot required<BR>
-✔ (blue) = supported; no reboot required. 
+&#x2714; (green) = supported; reboot required<BR>
+&#x2714; (blue) = supported; no reboot required
 
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 195aaaa374..7b48b01727 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -4,7 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-localizationpriority: high
+ms.localizationpriority: high
 ms.pagetype: mobile
 author: greg-lindsay
 ---
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
new file mode 100644
index 0000000000..8d3a787f3c
--- /dev/null
+++ b/windows/deployment/vda-subscription-activation.md
@@ -0,0 +1,88 @@
+---
+title: Configure VDA for Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Configure VDA for Windows 10 Subscription Activation
+
+This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+
+## Requirements
+
+- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
+- VMs must be Active Directory-joined or Azure Active Directory-joined.
+- VMs must be generation 1.
+- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+## Active Directory-joined VMs
+
+1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
+2. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+
+    ```
+    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    ```
+
+3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
+5. Click **Add**, type **Authenticated users**, and then click **OK** three times.
+6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd).
+7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+8. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. 
+    - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
+10. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
+11. On the Set up network page, choose **Off**.
+12. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+    - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+13. On the Add applications page, add applications if desired. This step is optional.
+14. On the Add certificates page, add certificates if desired. This step is optional.
+15. On the Finish page, click **Create**.
+16. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
+17. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
+
+    ```
+    Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
+    ```
+18. Right-click the mounted image in file explorer and click **Eject**.
+19. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
+
+## Azure Active Directory-joined VMs
+
+>[!IMPORTANT]
+>Azure Active Directory (Azure AD) provisioning packages have a 30 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 30 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated.
+
+For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
+- In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
+- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below.
+
+To create custom RDP settings for Azure:
+
+1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
+2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it.
+3. Close the Remote Desktop Connection window and open Notepad.
+4. Drag the RDP file into the Notepad window to edit it.
+5. Enter or replace the line that specifies authentication level with the following two lines of text:
+
+    ```text
+    enablecredsspsupport:i:0
+    authentication level:i:2
+    ```
+6. **enablecredsspsupport** and **authentication level** should each appear only once in the file.
+7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+
+## Related topics
+
+[Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
+<BR>[Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
+<BR>[Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
+
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 0a6428d6c9..095d461e1e 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate using Active Directory-based activation
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 9b9225de42..57fdf3e0a6 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate using Key Management Service
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index acf1786ec8..2a3c80b8b2 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Activate clients running Windows 10
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index 1ea07efda6..ca6ec523b8 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 # Appendix: Information sent to Microsoft during activation
 **Applies to**
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 3c4cd55263..d141c48130 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install and Configure VAMT
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index 5a296869a0..1aecc1fd56 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install a KMS Client Key
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 0418bd6a7c..623f14c7bd 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install a Product Key
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 767086f01e..f20fa8522a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Install VAMT
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 215c706ab1..ffe55fe3ad 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: greg-lindsay
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Monitor activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 93bf083b08..37335d3504 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: medium
+ms.localizationpriority: medium
 ---
 
 # Plan for volume activation
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 0322aa4208..b81e84356d 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use the Volume Activation Management Tool
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index a9746eeb19..d7cc0b2c2a 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Volume Activation for Windows 10
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 9d8881dce7..4bcaef04a8 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -1,15 +1,15 @@
 ---
 title: Overview of Windows AutoPilot
-description: This topic goes over Auto-Pilot and how it helps setup OOBE Windows 10 devices.
+description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices.
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: deploy
 author: DaniHalfin
 ms.author: daniha
-ms.date: 06/28/2017
+ms.date: 06/30/2017
 ---
 
 # Overview of Windows AutoPilot
@@ -19,21 +19,21 @@ ms.date: 06/28/2017
 -   Windows 10
 
 Windows AutoPilot is a collection of technologies used to setup and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.</br>
-This solution enables the IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
+This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
 
 ## Benefits of Windows AutoPilot
 
-Traditionally, IT Pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
+Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach.
 
 From the users' perspective, it only takes a few simple operations to make their device ready to use. 
 
-From the IT Pros' perspective, the only interaction required from the end-user, is to connect to a network and to verify their credentials. Everything past that is automated.
+From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
 
 Windows AutoPilot allows you to:
-* Automatically join devices to Azure Active Directory
-* Auto-enroll devices into MDM services, such as Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
+* Automatically join devices to Azure Active Directory (Azure AD)
+* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
 * Restrict the Administrator account creation
-* Create and auto-assign devices to configuration groups based on the devices' profile
+* Create and auto-assign devices to configuration groups based on a device's profile
 * Customize OOBE content specific to the organization
 
 ### Prerequisites
@@ -41,7 +41,7 @@ Windows AutoPilot allows you to:
 * [Devices must be registered to the organization](#registering-devices-to-your-organization)
 * Devices have to be pre-installed with Windows 10, version 1703 or later
 * Devices must have access to the internet
-* [Azure AD premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
+* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
 * Microsoft Intune or other MDM services to manage your devices
 
 ## Windows AutoPilot Scenarios
@@ -55,9 +55,9 @@ The Cloud-Driven scenario enables you to pre-register devices through the Window
 The end user unboxes and turns on a new device. What follows are a few simple configuration steps:
 * Select a language and keyboard layout
 * Connect to the network
-* Provide email address (the email of the user's Azure Active Directory account) and password
+* Provide email address (the email address of the user's Azure AD account) and password
 
-Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure Active Directory, enrolled in Microsoft Intune (or any other MDM service).
+Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
 
 MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
 
@@ -68,42 +68,35 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
 
 In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. 
 
-If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID.
+If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID.
 
-```PowerShell
-$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
-$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt"
-```
 >[!NOTE]
->This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
+>This PowerShell script requires elevated permissions.
 
 By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
 Additional options and customization is available through these portals to pre-configure the devices.
 
-Options available for Windows 10, Version 1703:
+Options available for Windows 10, version 1703:
 * Skipping Work or Home usage selection (*Automatic*)
 * Skipping OEM registration, OneDrive and Cortana (*Automatic*)
 * Skipping privacy settings
 * Preventing the account used to set-up the device from getting local administrator permissions
 
-Additional options we are working on for the next Windows 10 release:
-* Skipping EULA
-* Personalizing the setup experience
-* MDM Support
+We are working to add additional options to further personalize and streamline the setup experience in future releases.
 
-To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
+To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
 
 ### IT-Driven
 
-If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with WCD, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
+If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
 
 ### Teacher-Driven
 
-If you're an IT Pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
+If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
 
 ## Ensuring your device can be auto-enrolled to MDM
 
-In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please follow [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
+In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
 
 >[!NOTE]
->MDM Auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
\ No newline at end of file
+>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 9c89248ded..242f5aa4e7 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -5,7 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
 keywords: upgrade, in-place, configuration, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: mtniehaus
 ---
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index a6b000c3e9..d6f852cae5 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 deployment tools reference (Windows 10)
+title: Windows 10 deployment tools (Windows 10)
 description: Learn about the tools available to deploy Windows 10.
 ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
 ms.prod: w10
@@ -8,52 +8,16 @@ ms.sitesec: library
 author: greg-lindsay
 ---
 
-# Windows 10 deployment tools reference
-
+# Windows 10 deployment tools
 
 Learn about the tools available to deploy Windows 10.
 
-## In this section
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Topic</th>
-<th align="left">Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)</p></td>
-<td align="left"><p>To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)</p></td>
-<td align="left"><p>The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)</p></td>
-<td align="left"><p>The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)</p></td>
-<td align="left"><p>The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.</p></td>
-</tr>
-</tbody>
-</table>
-
- 
-
- 
-
- 
-
-
-
-
-
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
new file mode 100644
index 0000000000..d6f852cae5
--- /dev/null
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -0,0 +1,23 @@
+---
+title: Windows 10 deployment tools (Windows 10)
+description: Learn about the tools available to deploy Windows 10.
+ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+---
+
+# Windows 10 deployment tools
+
+Learn about the tools available to deploy Windows 10.
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
+|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index c3861f8fe5..f76208ce9c 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,21 +1,20 @@
 ---
-title: Windows 10 Enterprise E3 in CSP Overview
+title: Windows 10 Enterprise E3 in CSP
 description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
 keywords: upgrade, update, task sequence, deploy
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 ms.pagetype: mdt
 author: greg-lindsay
 ---
 
-# Windows 10 Enterprise E3 in CSP Overview
+# Windows 10 Enterprise E3 in CSP
 
 Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
 
 -   Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded
-
 -   Azure Active Directory (Azure AD) available for identity management
 
 Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
@@ -134,151 +133,9 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
 </tbody>
 </table>
 
-## Preparing for deployment of Windows 10 Enterprise E3 licenses
+## Deployment of Windows 10 Enterprise E3 licenses
 
-You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 licenses to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
-
-You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
-
-**Figure 1. On-premises AD DS integrated with Azure AD**
-
-For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
-
--   [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
--   [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
-
-### Preparing for deployment: reviewing requirements
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
-
-<!-- Watch the preceding link if you divide this into multiple topics. -->
-
-## Explore the upgrade experience
-
-Now that your subscription has been established (by the partner who you work with) and Windows 10 Enterprise E3 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
-
-### Step 1: Join users’ devices to Azure AD
-
-Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
-
-**To join a device to Azure AD the first time the device is started**
-
-1.  During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
-
-    <img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2.  On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
-
-    <img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
-
-    <img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
-    
-    **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
-
-1.  Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
-
-    <img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
-    
-    **Figure 5. Connect to work or school configuration in Settings**
-
-2.  In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
-
-    <img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
-    
-    **Figure 6. Set up a work or school account**
-
-3.  On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
-
-    <img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
-    
-    **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD joined to the company’s subscription.
-
-### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
-<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 3: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10 Enterprise E3 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
-
-<span id="win-10-activated-subscription-active"/>
-#### Figure 9 - Windows 10 Enterprise E3 subscription in Settings 
-
-<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
-
-If there are any problems with the Windows 10 Enterprise E3 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Enterprise E3 subscription. The most common problems that users may experience are as follows:
-
--   The existing Windows 10 Pro, version 1607 operating system is not activated.
-
--   The Windows 10 Enterprise E3 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 10](#win-10-not-activated) illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Enterprise E3 subscription is active.
-
-- [Figure 11](#subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 is activated, but the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-- [Figure 12](#win-10-not-activated-subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 license is not activated and the Windows 10 Enterprise E3 subscription is lapsed or removed.
-
-<span id="win-10-not-activated"/>
-### Figure 10 - Windows 10 Pro, version 1607 edition not activated in Settings
-
-<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" /><br><br>
-
-<span id="subscription-not-active"/>
-### Figure 11 - Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" /><br><br>
-
-<span id="win-10-not-activated-subscription-not-active"/>
-### Figure 12 - Windows 10 Pro, version 1607 edition not activated and Windows 10 Enterprise E3 subscription lapsed or removed in Settings
-
-<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" /><br><br>
-
-### Review requirements on devices
-
-Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
-
-**To determine if a device is Azure Active Directory joined:**
-
-1.  Open a command prompt and type **dsregcmd /status**.
-
-2.  Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
-
-**To determine the version of Windows 10:**
-
--   At a command prompt, type:
-    **winver**
-
-    A popup window will display the Windows 10 version number and detailed OS build information.
-
-    If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 
 ## Deploy Windows 10 Enterprise features
 
@@ -389,8 +246,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f
 
 ## Related topics
 
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
-
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-
-[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
+[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
+<BR>[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
new file mode 100644
index 0000000000..8e9912ed68
--- /dev/null
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -0,0 +1,127 @@
+---
+title: Windows 10 Subscription Activation
+description: How to enable Windows 10 Enterprise E3 and E5 subscriptions
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+localizationpriority: high
+ms.sitesec: library
+ms.pagetype: mdt
+author: greg-lindsay
+---
+
+# Windows 10 Subscription Activation
+
+With Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots.
+
+ If you are running Windows 10 version 1703 or later:
+
+- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
+- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
+
+Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
+
+See the following topics in this article:
+- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
+- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
+- [How it works](#how-it-works): A summary of the subscription-based licensing option.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud.
+
+For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Requirements
+
+For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: 
+
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
+- Azure Active Directory (Azure AD) available for identity management
+- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
+
+For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+
+If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+
+## Benefits
+
+With Windows 10 Enterprise, businesses can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise E3 or E5 to their users. Now, with Windows 10 Enterprise E3 and E5 being available as a true online service, it is available in every channel thus allowing all organizations to take advantage of enterprise grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+
+- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
+
+You can benefit by moving to Windows as an online service in the following ways:
+
+1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+2. Azure AD logon triggers a silent edition upgrade, with no reboot required 
+3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. 
+4. Compliance support via seat assignment.  
+
+## How it works
+
+When a licensed user signs in to a device that meets requirements using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
+
+Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+
+### Licenses
+
+The following policies apply to acquisition and renewal of licenses on devices:
+- Devices that have been upgraded will attempt to acquire licenses every 30 days, and must be connected to the Internet to be successful. 
+- Licenses are valid for 90 days. If a device is disconnected from the Internet until its current license expires, the operating system will revert to Windows 10 Pro. As soon as the device is connected to the Internet again, the license will automatically renew assuming the device is still present on list of user devices.
+- Up to five devices can be upgraded for each user license. 
+- The list of devices is chronological and cannot be manually modified. 
+- If a device meets requirements and a licensed user signs in on that device, it will be upgraded. 
+- If five devices are already on the list and a subscribed user signs in on a sixth device, then this new device is added to the end of the list and the first device is removed. 
+- Devices that are removed from the list will cease trying to acquire a license and revert to Windows 10 Pro when the grace period expires.
+
+Licenses can also be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+
+When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal).
+
+### Existing Enterprise deployments
+
+If you have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you are able to seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
+
+If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
+
+<pre style="overflow-y: visible">
+@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  ( 
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+</pre>
+
+### Obtaining an Azure AD licence
+
+Enterprise Agreement/Software Assurance (EA/SA):
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
+- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
+
+Microsoft Products & Services Agreements (MPSA):
+- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.  
+- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
+
+### Deploying licenses
+
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+
+## Related topics
+
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 2ba92a4627..d9870313ca 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt
-localizationpriority: high
+ms.localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 7cd077d90a..63e2727b2a 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, sccm
-localizationpriority: high
+ms.localizationpriority: high
 author: greg-lindsay
 ---
 
@@ -205,6 +205,10 @@ Topics and procedures in this guide are summarized in the following table. An es
 
 ## Download MDOP and install DaRT
 
+>[!IMPORTANT]
+>This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+>If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/).
+
 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
 
 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index ebdbe4e613..621de876bd 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 keywords: deployment, automate, tools, configure, mdt, sccm
-localizationpriority: high
+ms.localizationpriority: high
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index afc909741a..154981a4b6 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -4,7 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
 ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 ms.sitesec: library
 author: greg-lindsay
 ---
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index a159244f1a..8290d3383d 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 author: mtniehaus
 ---
 
-# Windows 10 deployment tools
+# Windows 10 deployment scenarios and tools
 
 
 To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index 9305ed157e..ddd4bb48f1 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -650,6 +650,7 @@
 ## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
 ### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
 ### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
 ### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
 ### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
 ### [Manage TPM commands](tpm/manage-tpm-commands.md)
diff --git a/windows/device-security/applocker/applocker-overview.md b/windows/device-security/applocker/applocker-overview.md
index 80cbfe0b49..1d4fe3bc2f 100644
--- a/windows/device-security/applocker/applocker-overview.md
+++ b/windows/device-security/applocker/applocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/applocker/delete-an-applocker-rule.md b/windows/device-security/applocker/delete-an-applocker-rule.md
index 3d4888fb73..4f50ad433f 100644
--- a/windows/device-security/applocker/delete-an-applocker-rule.md
+++ b/windows/device-security/applocker/delete-an-applocker-rule.md
@@ -32,3 +32,23 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins
 >**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed.
 
 When this procedure is performed on the local device, the AppLocker policy takes effect immediately.
+
+**To clear AppLocker policies on a single system or remote systems**
+Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
+
+    <AppLockerPolicy Version="1">
+      <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
+      <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
+    </AppLockerPolicy>
+
+To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:
+    
+    PS C:\Users\Administrator> import-module AppLocker
+
+We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command:
+    
+    C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
+
+This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
diff --git a/windows/device-security/applocker/requirements-to-use-applocker.md b/windows/device-security/applocker/requirements-to-use-applocker.md
index 81fe0f76ba..caa0c16d67 100644
--- a/windows/device-security/applocker/requirements-to-use-applocker.md
+++ b/windows/device-security/applocker/requirements-to-use-applocker.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/applocker/tools-to-use-with-applocker.md b/windows/device-security/applocker/tools-to-use-with-applocker.md
index a5346774ab..7708198815 100644
--- a/windows/device-security/applocker/tools-to-use-with-applocker.md
+++ b/windows/device-security/applocker/tools-to-use-with-applocker.md
@@ -46,7 +46,7 @@ The following tools can help you administer the application control policies cre
 
 -   **AppLocker PowerShell cmdlets**
 
-    The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+    The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/itpro/powershell/windows/applocker/applocker).
 
 ## Related topics
 
diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index f08b02baf6..db72ab90ec 100644
--- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -13,7 +13,9 @@ author: Justinha
 **Applies to**
 -   Windows 10
 
-This topic provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
+This topic explains how BitLocker and device encryption can help protect data on devices running Windows 10. 
+For an architectural overview about how device encryption works with Secure Boot, see [Secure boot and device encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). 
+For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
 
 When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies.
 
diff --git a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
index e0f1bc14e9..68cc89fe05 100644
--- a/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/bitlocker/bitlocker-overview.md b/windows/device-security/bitlocker/bitlocker-overview.md
index d92c5e1cce..b9308ded1b 100644
--- a/windows/device-security/bitlocker/bitlocker-overview.md
+++ b/windows/device-security/bitlocker/bitlocker-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index f5c4e6001a..b87d0626c3 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,12 @@ author: brianlic-msft
 # Change history for device security
 This topic lists new and updated topics in the [Device security](index.md) documentation.
 
+## July 2017
+|New or changed topic |Description |
+|---------------------|------------|
+ | [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
+
+
 ## May 2017
 |New or changed topic |Description |
 |---------------------|------------|
diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
index 898731c8d2..905dcc1550 100644
--- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article describes how to deploy catalog files to support code
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
index e1046621fc..ab8015ffad 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-policy-rules-and-file-rules.md
@@ -4,7 +4,7 @@ description: This article provides information about two elements in code integr
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
index 1f4eff567b..6b3f009321 100644
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@@ -4,7 +4,7 @@ description: This article describes how to deploy code integrity policies, one o
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -33,7 +33,7 @@ Members of the security community<sup>\*</sup> continuously collaborate with Mic
 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
 
 - bash.exe
-- bginfo.exe 
+- bginfo.exe<sup>[1]</sup> 
 - cdb.exe
 - csi.exe
 - dnx.exe
@@ -42,14 +42,16 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - kd.exe
 - ntkd.exe
 - lxssmanager.dll
-- msbuild.exe<sup>[1]</sup>
+- msbuild.exe<sup>[2]</sup>
 - mshta.exe
 - ntsd.exe
 - rcsi.exe
 - system.management.automation.dll
 - windbg.exe
 
-<sup>[1]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+<sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+
+<sup>[2]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
 
 <sup>*</sup>Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
 
diff --git a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
index baad65e7bb..012a60e785 100644
--- a/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
+++ b/windows/device-security/device-guard/deploy-device-guard-deploy-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article, and the articles it links to, describe how to create
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
index 773414f009..45c3ca1f45 100644
--- a/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md
@@ -4,7 +4,7 @@ description: This article describes how to enable virtualization-based security,
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
index cf53463610..fcd0f46670 100644
--- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
@@ -4,7 +4,7 @@ description: Explains how you can use a managed installer to automatically autho
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: mdsakibMSFT
 ---
 
diff --git a/windows/device-security/device-guard/device-guard-deployment-guide.md b/windows/device-security/device-guard/device-guard-deployment-guide.md
index d50a13cc43..da932fc370 100644
--- a/windows/device-security/device-guard/device-guard-deployment-guide.md
+++ b/windows/device-security/device-guard/device-guard-deployment-guide.md
@@ -5,7 +5,7 @@ ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
index 66956fbb5c..8c995bb3fe 100644
--- a/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
+++ b/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: Microsoft Device Guard is a feature set that consists of both hardw
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
index 89b5072658..32732cc6a1 100644
--- a/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
+++ b/windows/device-security/device-guard/optional-create-a-code-signing-certificate-for-code-integrity-policies.md
@@ -4,7 +4,7 @@ description: This article describes how to create a code signing certificate for
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
index d3919505b8..c822167621 100644
--- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
@@ -4,7 +4,7 @@ description: To help you plan and begin the initial test stages of a deployment
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 3a9804aa1c..9b22432875 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -4,7 +4,7 @@ description: To help you plan a deployment of Microsoft Device Guard, this artic
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -14,16 +14,6 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-This article describes the following:
-
-- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
-    - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
-    - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
-- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)	
-- [Device Guard deployment in virtual machines](#device-guard-deployment-in-virtual-machines)
-- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
-- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
-
 The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
 
 >**Note**&nbsp;&nbsp;If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
@@ -45,53 +35,50 @@ The following tables provide more information about the hardware, firmware, and
 > • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
 > • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
 
-## Device Guard requirements for baseline protections
+## Baseline protections
 
-|Baseline Protections - requirement           | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
+|Baseline Protections            | Description                                        | Security benefits |
+|--------------------------------|----------------------------------------------------|-------------------|
+| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  | 
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers**       | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
+| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Device Guard. |
 
-> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
+> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Device Guard can provide.
 
-## Device Guard requirements for improved security
+## Additional qualifications for improved security
 
-The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
+The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
 
 
 ### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
 
-
-| Protections for Improved Security - requirement         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Protections for Improved Security       | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
 
 <br>
 
-### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
+### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
 
-> **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
 
-| Protections for Improved Security - requirement         | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). <br><br>**Security benefits**:<br>• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>• Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+| Protections for Improved Security        | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|-----|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
 
 <br>
 
-### Additional Qualification Requirements starting with Windows 10, version 1703 
+### Additional security qualifications starting with Windows 10, version 1703 
 
-The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. 
 
-| Protection for Improved Security          | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
+| Protections for Improved Security          | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
 
 ## Device Guard deployment in different scenarios: types of devices
 
diff --git a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
index 5a3cde966e..aa07230763 100644
--- a/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/device-security/security-policy-settings/accounts-administrator-account-status.md
@@ -18,18 +18,17 @@ Describes the best practices, location, values, and security considerations for
 
 ## Reference
 
-This security setting determines whether the local administrator account is enabled or disabled.
+This security setting determines whether the local Administrator account is enabled or disabled.
 
-If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
+The following conditions prevent disabling the Administrator account, even if this security setting is disabled.
 
-If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
-1.  No other local administrator account exists
-2.  The administrator account is currently in use
-3.  All other local administrator accounts are:
+1.  The Administrator account is currently in use
+2.  The Administrators group has no other members
+3.  All other members of the Administrators group are:
     1.  Disabled
     2.  Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
 
-If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
+If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password.
 
 ### Possible values
 -   Enabled
@@ -51,12 +50,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
 | Server type or GPO | Default value |
+| - | - |
 | Default Domain Policy | Not defined |
 | Default Domain Controller Policy |Not defined |
 | Stand-Alone Server Default Settings | Enabled |
 | DC Effective Default Settings | Enabled |
 | Member Server Effective Default Settings | Enabled |
 | Client Computer Effective Default Settings | Disabled |
+
  
 ## Policy management
 
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6c96f4605e..0264785b4b 100644
--- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: justinha
 ---
 
diff --git a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index b9a0e71329..3f98b0d5f2 100644
--- a/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -24,11 +24,11 @@ This policy setting allows a client device to require the negotiation of 128-bit
 
 -   Require NTLMv2 session security
 
-    The connection fails if strong encryption (128-bit) is not negotiated.
+    The connection fails if the NTLMv2 protocol is not negotiated.
 
 -   Require 128-bit encryption
 
-    The connection fails if the NTLMv2 protocol is not negotiated.
+    The connection fails if strong encryption (128-bit) is not negotiated.
 
 ### Best practices
 
diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/device-security/security-policy-settings/security-options.md
index b4896738f7..e8cba42ee3 100644
--- a/windows/device-security/security-policy-settings/security-options.md
+++ b/windows/device-security/security-policy-settings/security-options.md
@@ -53,7 +53,8 @@ For info about setting security policies, see [Configure security policy setting
 | [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
 |[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
 | [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
-| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.| 
+| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.| 
+| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.| 
 | [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.| 
 | [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.| 
 | [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.| 
diff --git a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 348aa4eb2d..16ed671235 100644
--- a/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -9,7 +9,7 @@ ms.pagetype: security
 author: brianlic-msft
 ---
 
-# Shutdown: Clear virtual memory pagefile - security policy setting
+# Shutdown: Clear virtual memory pagefile 
 
 **Applies to**
 -   Windows 10
diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md
new file mode 100644
index 0000000000..88f2a9f786
--- /dev/null
+++ b/windows/device-security/tpm/how-windows-uses-the-tpm.md
@@ -0,0 +1,159 @@
+---
+title: How Windows uses the TPM
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
+ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# How Windows 10 uses the Trusted Platform Module
+
+The Windows 10 operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM.
+
+
+**See also:**
+
+   - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) 
+
+   - [TPM Fundamentals](tpm-fundamentals.md)
+
+   - [TPM Recommendations](tpm-recommendations.md) 
+
+## TPM Overview
+
+The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
+
+Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
+
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+
+## TPM in Windows 10
+
+The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security.
+
+## Platform Crypto Provider
+
+Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
+
+Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
+
+The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
+
+•	**Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+
+•	**Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows 10 device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+
+## Virtual Smart Card
+
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+
+## Windows Hello for Business 
+
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
+
+Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
+
+•	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+
+•	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. 
+
+![TPM Capabilities](images/tpm-capabilities.png)
+
+*Figure 1:  TPM Cryptographic Key Management*
+
+For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
+
+## BitLocker Drive Encryption
+
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+
+•	**Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+
+•	**Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS).
+
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+
+Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+
+## Device Encryption
+
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.    
+
+For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
+
+## Measured Boot
+
+Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
+
+The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+
+TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
+
+The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
+
+•	**Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+
+When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.    
+
+![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
+
+*Figure 2:  Process used to create evidence of boot software and configuration using a TPM*
+
+
+## Health Attestation
+
+Some Windows 10 improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
+
+Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
+
+## Credential Guard
+
+Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10.
+
+## Conclusion
+
+The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+
+                        
+|Feature | Benefits when used on a system with a TPM|
+|---|---|
+| Platform Crypto Provider |  •  &nbsp; &nbsp; If the machine is compromised, the private key associated with the certificate cannot be copied off the device.<br />•	   &nbsp; &nbsp;  The TPM’s dictionary attack mechanism protects PIN values to use a certificate. 
+| Virtual Smart Card | 	•  &nbsp; &nbsp; Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
+| Windows Hello for Business | 	•  &nbsp; &nbsp; Credentials provisioned on a device cannot be copied elsewhere.  <br /> •	     &nbsp; &nbsp; Confirm a device’s TPM before credentials are provisioned. |
+| BitLocker Drive Encryption | 	•  &nbsp; &nbsp; Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
+|Device Encryption | 	• &nbsp; &nbsp; With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
+| Measured Boot | 	•  &nbsp; &nbsp; A hardware root of trust contains boot measurements that help detect malware during remote attestation.
+| Health Attestation | 	•  &nbsp; &nbsp; MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
+| Credential Guard | 	•  &nbsp; &nbsp; Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
+
+<br />
+
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore).  IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
\ No newline at end of file
diff --git a/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
new file mode 100644
index 0000000000..64eb88ebe7
Binary files /dev/null and b/windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png differ
diff --git a/windows/device-security/tpm/images/tpm-capabilities.png b/windows/device-security/tpm/images/tpm-capabilities.png
new file mode 100644
index 0000000000..b10c66b27c
Binary files /dev/null and b/windows/device-security/tpm/images/tpm-capabilities.png differ
diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index d0283a1020..7c44d3803e 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
@@ -105,10 +105,10 @@ The following table defines which Windows features require TPM support.
 | Passport: Domain AADJ Join                   | Required                 | Required                 | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.  |
 | Passport: MSA or Local Account               | Required                 | Required                 | TPM 2.0 is required with HMAC and EK certificate for key attestation support.      |
 | Device Encryption                            | Not Applicable           | Required                 | TPM 2.0 is required for all InstantGo devices.                |
-| Device Guard / Configurable Code Integrity   | See next column          | Recommended              |                    |
+| Device Guard / Configurable Code Integrity   | Not Applicable          | Required              | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.                   |
 | Credential Guard                             | Required                 | Required                 | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.   |
 | Device Health Attestation                    | Required                 | Required                 |                    |
-| Windows Hello                                | Not Required             | Recommended              |                    |
+| Windows Hello / Windows Hello for Business   | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |
 | UEFI Secure Boot                             | Not Required             | Recommended              |                    |
 | Platform Key Storage provider                | Required                 | Required                 |                    |
 | Virtual Smart Card                           | Required                 | Required                 |                    |
diff --git a/windows/device-security/tpm/trusted-platform-module-overview.md b/windows/device-security/tpm/trusted-platform-module-overview.md
index ba05130ce1..119ebafb02 100644
--- a/windows/device-security/tpm/trusted-platform-module-overview.md
+++ b/windows/device-security/tpm/trusted-platform-module-overview.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/tpm/trusted-platform-module-top-node.md b/windows/device-security/tpm/trusted-platform-module-top-node.md
index ad6428c661..f7ef7a4b61 100644
--- a/windows/device-security/tpm/trusted-platform-module-top-node.md
+++ b/windows/device-security/tpm/trusted-platform-module-top-node.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ---
 
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
index 85ff61bf41..207c463b85 100644
--- a/windows/device-security/windows-10-mobile-security-guide.md
+++ b/windows/device-security/windows-10-mobile-security-guide.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security, mobile
-localizationpriority: high
+ms.localizationpriority: high
 author: AMeeus
 ---
 # Windows 10 Mobile security guide
diff --git a/windows/hub/index.md b/windows/hub/index.md
index 7ebbf52bf3..200db0cd98 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -3,7 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
 description: Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile.
 ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
 ms.prod: w10
-localizationpriority: high
+ms.localizationpriority: high
 author: brianlic-msft
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 9714c77347..fd9171827c 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -82,9 +82,15 @@
 
 ##	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
 ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+
 ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
 ### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
 #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
 ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
@@ -95,6 +101,8 @@
 ##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
 ##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
 ##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
 ### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
 #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
 ##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
@@ -109,6 +117,8 @@
 ##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
 ##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
 ##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
 ### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
 #### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
 ##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
@@ -120,19 +130,26 @@
 #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
 #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
 #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
 ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
 ### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
 #### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
 #### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
 #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
 #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
 #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
 ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
 ##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
 ##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
 #### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
@@ -150,10 +167,17 @@
 #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
 #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
 ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
 ## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
-## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Change history for Threat Protection](change-history-for-threat-protection.md)
\ No newline at end of file
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)
diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
index 8343d2c59e..e854d43efb 100644
--- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Block untrusted fonts in an enterprise
diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md
index ee84b688ce..f89c5ecee5 100644
--- a/windows/threat-protection/change-history-for-threat-protection.md
+++ b/windows/threat-protection/change-history-for-threat-protection.md
@@ -14,18 +14,18 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
 ## June 2017
 |New or changed topic |Description |
 |---------------------|------------|
-| [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New | 
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New | 
 |[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
+|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
 |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
-[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
 
 
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
-||[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
+|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
 |[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
 |[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
 |[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md
index 77a4201aad..885e4d9279 100644
--- a/windows/threat-protection/index.md
+++ b/windows/threat-protection/index.md
@@ -14,11 +14,14 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 
 | Section | Description |
 |-|-|
-| [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) | Learn more about mitigating threats in Windows 10. |
-| [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies. |
-| [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-| [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Learn more about how to help protect against potential corporate data leakage. |
-| [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) | Learn more about Windows Defender SmartScreen. |
-| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
-| [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. |
+|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
+|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
+|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
+|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
+|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
+|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
+|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
+|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
+|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index a23616e9a6..e3f898afa0 100644
--- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: high
+ms.localizationpriority: high
 author: justinha
 ---
 
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md
index 2f0931b1dc..83a8c454ed 100644
--- a/windows/threat-protection/secure-the-windows-10-boot-process.md
+++ b/windows/threat-protection/secure-the-windows-10-boot-process.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: Explore
 ms.pagetype: security
 ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/23/2017
 ---
diff --git a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 6d73bea83b..4f4815d991 100644
--- a/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -7,7 +7,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index d3a3a91d2b..2bde953608 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index edf44cdddc..66f292c972 100644
--- a/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 18065e7b67..28d95b5f7c 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 0321537068..51e4da766a 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 09874321a0..9db9a1a011 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index 47b2f3f968..6483bcb53a 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index db1498b7bd..38c2c15f82 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -8,16 +8,19 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
+# Configure and validate exclusions for Windows Defender AV scans (client)
 
 
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
@@ -39,6 +42,8 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen
 
 Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
 
+Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+
 >[!WARNING]
 >Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 3d78deccde..3ab8d056a6 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure and validate exclusions based on file extension and folder location
@@ -18,6 +20,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 728b747ccb..4b7b42f001 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index e31e53a2bb..1d44078c65 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index a692199439..8cce4e1f03 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 50dbbe12a6..bd0aa9f9ff 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Configure exclusions for files opened by processes
@@ -17,6 +19,7 @@ author: iaanw
 **Applies to:**
 
 - Windows 10
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index bf1f2f595e..c1996876ef 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index 677e0883be..34adf05d43 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index b664d78cdf..2ae2cc1683 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index c293dd3358..033e1ba5fd 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -8,11 +8,13 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
-# Configure exclusions in Windows Defender AV on Windows Server 2016
+# Configure exclusions in Windows Defender AV on Windows Server
 
 
 **Applies to:**
@@ -30,14 +32,28 @@ author: iaanw
 - PowerShell
 - Windows Management Instrumentation (WMI)
 
-If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
 
 These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
 
-You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 
+Custom exclusions take precedence over the automatic exclusions.
+
+> [!TIP]
+> Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
+
+
+## Opt out of automatic exclusions
+
+In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
 
 You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
 
@@ -58,7 +74,7 @@ You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets,
 Use the following cmdlets:
 
 ```PowerShell
-Set-MpPreference -DisableAutoExclusions
+Set-MpPreference -DisableAutoExclusions $true
 ```
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
@@ -75,9 +91,312 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
+
+
+
+## List of automatic exclusions
+The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
+
+### Default exclusions for all roles
+This section lists the default exclusions for all Windows Server 2016 roles.
+
+-   Windows "temp.edb" files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+
+    -   *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+
+-   Windows Update files or Automatic Update files:
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+
+    -   *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+
+-   Windows Security files:
+
+    -   *%windir%*\Security\database\\*.chk
+
+    -   *%windir%*\Security\database\\*.edb
+
+    -   *%windir%*\Security\database\\*.jrs
+
+    -   *%windir%*\Security\database\\*.log
+
+    -   *%windir%*\Security\database\\*.sdb
+
+-   Group Policy files:
+
+    -   *%allusersprofile%*\NTUser.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+
+    -   *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+
+-   WINS files:
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.chk
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.log
+
+    -   *%systemroot%*\System32\Wins\\*\\\*.mdb
+
+    -   *%systemroot%*\System32\LogFiles\
+
+    -   *%systemroot%*\SysWow64\LogFiles\
+
+-   File Replication Service (FRS) exclusions:
+
+    -   Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+
+        -   *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+
+        -   *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+
+        -   *%windir%*\Ntfrs\jet\log\\*\\\*.log
+
+    -   FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+
+        -   *%windir%*\Ntfrs\\*\Edb\*.log
+
+    -   The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+
+        -   *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+
+    -   The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+
+        -   *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+
+    -   The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.XML
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.frx
+
+        -   *%systemdrive%*\System Volume Information\DFSR\\*.log
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+
+        -   *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+
+-   Process exclusions
+
+    -   *%systemroot%*\System32\dfsr.exe
+
+    -   *%systemroot%*\System32\dfsrs.exe
+
+-   Hyper-V exclusions:
+
+    -   This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+
+        -   File type exclusions:
+
+            -   *.vhd
+
+            -   *.vhdx
+
+            -   *.avhd
+
+            -   *.avhdx
+
+            -   *.vsv
+
+            -   *.iso
+
+            -   *.rct
+
+            -   *.vmcx
+
+            -   *.vmrs
+
+        -   Folder exclusions:
+
+            -   *%ProgramData%*\Microsoft\Windows\Hyper-V
+
+            -   *%ProgramFiles%*\Hyper-V
+
+            -   *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+
+            -   *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+
+        -   Process exclusions:
+
+            -   *%systemroot%*\System32\Vmms.exe
+
+            -   *%systemroot%*\System32\Vmwp.exe
+
+-   SYSVOL files:
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adm
+
+    -   *%systemroot%*\Sysvol\Domain\\*.admx
+
+    -   *%systemroot%*\Sysvol\Domain\\*.adml
+
+    -   *%systemroot%*\Sysvol\Domain\Registry.pol
+
+    -   *%systemroot%*\Sysvol\Domain\\*.aas
+
+    -   *%systemroot%*\Sysvol\Domain\\*.inf
+
+    -   *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+
+    -   *%systemroot%*\Sysvol\Domain\\*.ins
+
+    -   *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+
+### Active Directory exclusions
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+
+-   NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+
+    -   %windir%\Ntds\ntds.dit
+
+    -   %windir%\Ntds\ntds.pat
+
+-   The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\Res*.log
+
+    -   %windir%\Ntds\Edb*.jrs
+
+    -   %windir%\Ntds\Ntds*.pat
+
+    -   %windir%\Ntds\EDB*.log
+
+    -   %windir%\Ntds\TEMP.edb
+
+-   The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+
+    -   %windir%\Ntds\Temp.edb
+
+    -   %windir%\Ntds\Edb.chk
+
+-   Process exclusions for AD DS and AD DS-related support files:
+
+    -   %systemroot%\System32\ntfrs.exe
+
+    -   %systemroot%\System32\lsass.exe
+
+### DHCP Server exclusions
+This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.mdb
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.pat
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.log
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.chk
+
+-   *%systemroot%*\System32\DHCP\\*\\\*.edb
+
+### DNS Server exclusions
+This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
+
+-   File and folder exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.log
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.dns
+
+    -   *%systemroot%*\System32\Dns\\*\\\*.scc
+
+    -   *%systemroot%*\System32\Dns\\*\BOOT
+
+-   Process exclusions for the DNS Server role:
+
+    -   *%systemroot%*\System32\dns.exe
+
+    
+
+### File and Storage Services exclusions
+This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
+
+-   *%SystemDrive%*\ClusterStorage
+
+-   *%clusterserviceaccount%*\Local Settings\Temp
+
+-   *%SystemDrive%*\mscs
+
+### Print Server exclusions
+This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
+
+-   File type exclusions:
+
+    -   *.shd
+
+    -   *.spl
+
+-   Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+
+    -   *%system32%*\spool\printers\\*
+
+-   Process exclusions:
+
+    -   spoolsv.exe
+
+### Web Server exclusions
+This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
+
+-   Folder exclusions:
+
+    -   *%SystemRoot%*\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+
+    -   *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+
+    -   *%systemDrive%*\inetpub\logs
+
+    -   *%systemDrive%*\inetpub\wwwroot
+
+-   Process exclusions:
+
+    -   *%SystemRoot%*\system32\inetsrv\w3wp.exe
+
+    -   *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+
+    -   *%SystemDrive%*\PHP5433\php-cgi.exe
+
+### Windows Server Update Services exclusions
+This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
+
+-   *%systemroot%*\WSUS\WSUSContent
+
+-   *%systemroot%*\WSUS\UpdateServicesDBFiles
+
+-   *%systemroot%*\SoftwareDistribution\Datastore
+
+-   *%systemroot%*\SoftwareDistribution\Download
+
+
+
+
 ## Related topics
 
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index 5ba96c2e65..1e58b44fb0 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index fb622e18eb..6eb5d98e2e 100644
--- a/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 1c76376a0b..447437331e 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index 0f51f5cf85..8424255df1 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 29c80abf0c..c1f14fe426 100644
--- a/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 296bbd7013..256b81f90d 100644
--- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: detect
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4057fe4655..755d7bb810 100644
--- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 4f51b16a7a..15297f3b96 100644
--- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index 9726dfceba..123057dc01 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 32920b478d..18e242a4f0 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index feffc5c8b6..d5838972b1 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index 751a8801d2..d87bb53800 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 89be197b89..374162b001 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index b54cfd7521..efcdb994fa 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index ce95481ff2..1da8e5b737 100644
--- a/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index dda75ed42a..2082f44329 100644
--- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 63d6ce419e..3307e84851 100644
--- a/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4e29084ea1..0fb07edd90 100644
--- a/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index a4826a52ae..f9ad88746b 100644
--- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index 321924a398..8e3ea5d3bf 100644
--- a/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 4e7c275117..603cf37adf 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 # Review event logs and error codes to troubleshoot issues with Windows Defender AV
@@ -17,6 +19,7 @@ author: iaanw
 
 **Applies to**
 -   Windows 10
+-   Windows Server 2016
 
 **Audience**
 
@@ -27,55 +30,58 @@ If you encounter a problem with Windows Defender Antivirus, you can search the t
 
 The tables list:
 
-- [Windows Defender AV client event IDs](#windows-defender-av-ids)
+- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
 - [Windows Defender AV client error codes](#error-codes)
 - [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
 
 
 <a id="windows-defender-av-ids"></a>
-## Windows Defender AV client event IDs
+## Windows Defender AV event IDs
 
 Windows Defender AV records event IDs in the Windows event log.
 
 You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
 
-The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
+The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
 
-**To view a Windows Defender client event**
+**To view a Windows Defender AV event**
 
 1.  Open **Event Viewer**.
-2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
 3.  Double-click on **Operational**.
 4.  In the details pane, view the list of individual events to find your event.
 5.  Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
 
 
 
-<table>
+
+<style type='text/css'> table.oridealign td,th { vertical-align: top; text-align: left; } </style>
+ <table class="oridealign"> 
+<tr>
+<th colspan="2" >Event ID: 1000</th>
+</tr>
 <tr>
-<th rowspan="3">Event ID: 1000</th>
 <td>
-<p>Symbolic name:</p>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_STARTED</b></p>
+<td>
+<b>MALWAREPROTECTION_SCAN_STARTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan started.
-</b></p>
+<td >
+<b>An antimalware scan started.
+</b>
 </td>
 </tr>
 <tr>
-<td>
-<p>Description:</p>
+<td >
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -93,32 +99,31 @@ The table in this section lists the main Windows Defender Antivirus client event
 <dt>Scan Resources: &lt;Resources (such as files/directories/BHO) that were scanned.&gt;</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1001</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_COMPLETED</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_COMPLETED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan finished.</b></p>
+<td >
+<b>An antimalware scan finished.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -136,34 +141,33 @@ The table in this section lists the main Windows Defender Antivirus client event
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1002</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_CANCELLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_CANCELLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was stopped before it finished.
-</b></p>
+<td >
+<b>An antimalware scan was stopped before it finished.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -181,34 +185,33 @@ The table in this section lists the main Windows Defender Antivirus client event
 <dt>User: &lt;Domain&gt;\&lt;User&gt;</dt>
 <dt>Scan Time: &lt;The duration of a scan.&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1003</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1003</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_PAUSED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_PAUSED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was paused.
-</b></p>
+<td >
+<b>An antimalware scan was paused.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -225,34 +228,33 @@ The table in this section lists the main Windows Defender Antivirus client event
 </dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1004</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_RESUMED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_RESUMED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan was resumed.
-</b></p>
+<td >
+<b>An antimalware scan was resumed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -269,34 +271,33 @@ The table in this section lists the main Windows Defender Antivirus client event
 </dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1005</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1005</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SCAN_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SCAN_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>An antimalware scan failed. 
-</b></p>
+<td >
+<b>An antimalware scan failed. 
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
+<td >
 <dl>
 <dt>Scan ID: &lt;ID number of the relevant scan.&gt;</dt>
 <dt>Scan Type: &lt;Scan type&gt;, for example:<ul>
@@ -317,52 +318,49 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+To troubleshoot this event:
 <ol>
 <li>Run the scan again.</li>
 <li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1006</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1006</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_DETECTED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_DETECTED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine found malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware engine found malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>For more information please see the following:</p>
+<td >
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -408,35 +406,34 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1007</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:</p>
+<td >
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
 <dl>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Name: &lt;Threat name&gt;</dt>
@@ -463,33 +460,32 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1008</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1008</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b></p>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
 <dl>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 <dt>Name: &lt;Threat name&gt;</dt>
@@ -521,35 +517,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1009</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1009</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform restored an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform restored an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has restored an item from quarantine. For more information please see the following:</p>
+<td >
+Windows Defender has restored an item from quarantine. For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -566,35 +561,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1010</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1010</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform could not restore an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform could not restore an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -615,35 +609,34 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1011</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1011</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform deleted an item from quarantine.
-</b></p>
+<td >
+<b>The antimalware platform deleted an item from quarantine.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has deleted an item from quarantine.  
-For more information please see the following:</p>
+<td >
+Windows Defender has deleted an item from quarantine.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -660,35 +653,34 @@ For more information please see the following:</p>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1012</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1012</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform could not delete an item from quarantine.</b></p>
+<td >
+<b>The antimalware platform could not delete an item from quarantine.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to delete an item from quarantine.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered an error trying to delete an item from quarantine.
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -709,66 +701,64 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1013</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1013</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform deleted history of malware and other potentially unwanted software.</b></p>
+<td >
+<b>The antimalware platform deleted history of malware and other potentially unwanted software.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has removed history of malware and other potentially unwanted software.</p>
+<td >
+Windows Defender has removed history of malware and other potentially unwanted software.
 <dl>
 <dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1014</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1014</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p>The antimalware platform could not delete history of malware and other potentially unwanted software.</p>
+<td >
+The antimalware platform could not delete history of malware and other potentially unwanted software.
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.</p>
+<td >
+Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
 <dl>
 <dt>Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
@@ -777,35 +767,34 @@ Result code associated with threat status. Standard HRESULT values. </dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 1015</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1015</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_BEHAVIOR_DETECTED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_BEHAVIOR_DETECTED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform detected suspicious behavior.</b></p>
+<td >
+<b>The antimalware platform detected suspicious behavior.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected a suspicious behavior.  
-For more information please see the following:</p>
+<td >
+Windows Defender has detected a suspicious behavior.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -856,35 +845,34 @@ UAC</dt>
 <dt>Target File Name: &lt;File name&gt;
 Name of the file.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1116</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1116</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform detected malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform detected malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has detected malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has detected malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -930,44 +918,43 @@ UAC</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.</p>
+<td >
+No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click <b>Clean Computer</b>.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1117</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1117</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-</b></p>
+<td >
+<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1027,8 +1014,8 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
-<p>NOTE:
-<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
+NOTE:
+Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
 <li>Default Internet Explorer or Microsoft Edge setting</li>
 <li>User Access Control settings</li>
 <li>Chrome settings</li>
@@ -1044,59 +1031,58 @@ The above context applies to the following client and server versions:
 </tr>
 <tr>
 <td>
-<p>Client Operating System </p>
+Client Operating System 
 </td>
 <td>
-<p>Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later</p>
+Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
 </td>
 </tr>
 <tr>
 <td>
-<p>Server Operating System</p>
+Server Operating System
 </td>
 <td>
-<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
+Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
 </td>
 </tr>
 </table>
-</p>
 </dl>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender removed or quarantined a threat. </p>
+<td >
+No action is necessary. Windows Defender removed or quarantined a threat. 
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1118</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1118</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-</b></p>
+<td >
+<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1157,43 +1143,42 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.</p>
+<td >
+No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1119</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1119</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b></p>
+<td >
+<b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
-For more information please see the following:</p>
+<td >
+Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+For more information please see the following:
 <dl>
 <dt>Name: &lt;Threat name&gt;</dt>
 <dt>ID: &lt;Threat ID&gt;</dt>
@@ -1254,15 +1239,14 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.</p>
+<td >
+The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below.
 <table>
 <tr>
 <th>Action</th>
@@ -1270,153 +1254,150 @@ Description of the error. </dt>
 </tr>
 <tr>
 <td>
-<p><b>Remove</b></p>
+<b>Remove</b>
 </td>
 <td>
-<p>Update the definitions then verify that the removal was successful.</p>
+Update the definitions then verify that the removal was successful.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Clean</b></p>
+<b>Clean</b>
 </td>
 <td>
-<p>Update the definitions then verify that the remediation was successful.</p>
+Update the definitions then verify that the remediation was successful.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Quarantine</b></p>
+<b>Quarantine</b>
 </td>
 <td>
-<p>Update the definitions and verify that the user has permission to access the necessary resources.</p>
+Update the definitions and verify that the user has permission to access the necessary resources.
 </td>
 </tr>
 <tr>
 <td>
-<p><b>Allow</b></p>
+<b>Allow</b>
 </td>
 <td>
-<p>Verify that the user has permission to access the necessary resources.</p>
+Verify that the user has permission to access the necessary resources.
 </td>
 </tr>
 </table>
-<p> </p>
-<p>If this event persists:<ol>
+ 
+If this event persists:<ol>
 <li>Run the scan again.</li>
 <li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1120</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1120</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_THREAT_HASH</b></p>
+<td >
+<b>MALWAREPROTECTION_THREAT_HASH</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Windows Defender has deduced the hashes for a threat resource.</b></p>
+<td >
+<b>Windows Defender has deduced the hashes for a threat resource.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
+<td >
+Windows Defender client is up and running in a healthy state.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Threat Resource Path: &lt;Path&gt;</dt>
 <dt>Hashes: &lt;Hashes&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td></td>
-<td colspan="2">
+<td >
 <div class="alert"><b>Note</b>  This event will only be logged if the following policy is set: <b>ThreatFileHashLogging 	unsigned</b>.</div>
 <div> </div>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 1150</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 1150</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SERVICE_HEALTHY</b></p>
+<td >
+<b>MALWAREPROTECTION_SERVICE_HEALTHY</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-</b></p>
+<td >
+<b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender client is up and running in a healthy state.</p>
+<td >
+Windows Defender client is up and running in a healthy state.
 <dl>
 <dt>Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.</p>
+<td >
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2000</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2000</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware definitions updated successfully.
-</b></p>
+<td >
+<b>The antimalware definitions updated successfully.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender signature version has been updated.</p>
+<td >
+Windows Defender signature version has been updated.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@@ -1432,42 +1413,41 @@ Description of the error. </dt>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2001</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware definition update failed. 
-</b></p>
+<td >
+<b>The antimalware definition update failed. 
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update signatures.</p>
+<td >
+Windows Defender has encountered an error trying to update signatures.
 <dl>
 <dt>New Signature Version: &lt;New version number&gt;</dt>
 <dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
@@ -1504,99 +1484,89 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>This error occurs when there is a problem updating definitions.</p>
-<p>To troubleshoot this event:
+<td >
+This error occurs when there is a problem updating definitions.
+To troubleshoot this event:
 <ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
+<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
 <li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2002</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATED</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine updated successfully.
-</b></p>
+<td >
+<b>The antimalware engine updated successfully.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender engine version has been updated.</p>
+<td >
+Windows Defender engine version has been updated.
 <dl>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
 <dt>Engine Type: &lt;Engine type&gt;, either antimalware engine or Network Inspection System engine.</dt>
 <dt>User: &lt;Domain&gt;\\&lt;User&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2003</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2003</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine update failed.
-</b></p>
+<td >
+<b>The antimalware engine update failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the engine.</p>
+<td >
+Windows Defender has encountered an error trying to update the engine.
 <dl>
 <dt>New Engine Version:</dt>
 <dt>Previous Engine Version: &lt;Previous engine version&gt;</dt>
@@ -1607,55 +1577,46 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+To troubleshoot this event:
 <ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
+<li>[Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2004</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_REVERSION</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_REVERSION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b></p>
+<td >
+<b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.</p>
+<td >
+Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
 <dl>
 <dt>Signatures Attempted:</dt>
 <dt>Error Code: &lt;Error code&gt;
@@ -1665,83 +1626,80 @@ Description of the error. </dt>
 <dt>Signature Version: &lt;Definition version&gt;</dt>
 <dt>Engine Version: &lt;Antimalware engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
+To troubleshoot this event:
 <ol>
 <li>Restart the computer and try again.</li>
 <li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.
 </li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2005</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2005</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b></p>
+<td >
+<b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.</p>
+<td >
+Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2006</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2006</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The platform update failed.
-</b></p>
+<td >
+<b>The platform update failed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to update the platform.</p>
+<td >
+Windows Defender has encountered an error trying to update the platform.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 <dt>Error Code: &lt;Error code&gt;
@@ -1749,65 +1707,63 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2007</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b></p>
+<td >
+<b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b></p>
+<td >
+<b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.</p>
+<td >
+Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
 <dl>
 <dt>Current Platform Version: &lt;Current platform version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2010</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2010</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
-</b></p>
+<td >
+<b>The antimalware engine used the Dynamic Signature Service to get additional definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.</p>
+<td >
+Windows Defender used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1838,35 +1794,34 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2011</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2011</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-</b></p>
+<td >
+<b>The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.</p>
+<td >
+Windows Defender used <i>Dynamic Signature Service</i> to discard obsolete signatures.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1898,43 +1853,42 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.</p>
+<td >
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2012</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2012</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-</b></p>
+<td >
+<b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.</p>
+<td >
+Windows Defender has encountered an error trying to use <i>Dynamic Signature Service</i>.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Signature Type: &lt;Signature type&gt;, for example: <ul>
@@ -1969,109 +1923,106 @@ Description of the error. </dt>
 </dt>
 <dt>Persistence Limit: Persistence limit of the fastpath signature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.</p>
+<td >
+Check your Internet connectivity settings.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2013</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2013</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The Dynamic Signature Service deleted all dynamic definitions.
-</b></p>
+<td >
+<b>The Dynamic Signature Service deleted all dynamic definitions.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.</p>
+<td >
+Windows Defender discarded all <i>Dynamic Signature Service</i> signatures.
 <dl>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2020</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2020</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine downloaded a clean file.
-</b></p>
+<td >
+<b>The antimalware engine downloaded a clean file.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender downloaded a clean file.</p>
+<td >
+Windows Defender downloaded a clean file.
 <dl>
 <dt>Filename: &lt;File name&gt;
 Name of the file.</dt>
 <dt>Current Signature Version: &lt;Current signature version&gt;</dt>
 <dt>Current Engine Version: &lt;Current engine version&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 2021</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2021</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b></p>
+<td >
+<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine failed to download a clean file.
-</b></p>
+<td >
+<b>The antimalware engine failed to download a clean file.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download a clean file.</p>
+<td >
+Windows Defender has encountered an error trying to download a clean file.
 <dl>
 <dt>Filename: &lt;File name&gt;
 Name of the file.</dt>
@@ -2082,185 +2033,185 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>Check your Internet connectivity settings.
-</p>
-<p>The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
-</p>
+<td >
+Check your Internet connectivity settings.
+The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2030</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2030</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b></p>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b></p>
+<td >
+<b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.</p>
+<td >
+Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2031</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2031</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine was unable to download and configure an offline scan.</b></p>
+<td >
+<b>The antimalware engine was unable to download and configure an offline scan.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender has encountered an error trying to download and configure Windows Defender Offline.</p>
+<td >
+Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
 <dl>
 <dt>Error Code: &lt;Error code&gt;
 Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2040</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2040</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EXPIRING
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OS_EXPIRING
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system version will soon end.
-</b></p>
+<td >
+<b>Antimalware support for this operating system version will soon end.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+<td >
+The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2041</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2041</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_OS_EOL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_OS_EOL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-</b></p>
+<td >
+<b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.</p>
+<td >
+The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 2042</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 2042</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_PROTECTION_EOL
-</b></p>
+<td >
+<b>MALWAREPROTECTION_PROTECTION_EOL
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-</b></p>
+<td >
+<b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.</p>
+<td >
+The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 3002</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 3002</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_FAILURE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection encountered an error and failed.</b></p>
+<td >
+<b>Real-time protection encountered an error and failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-Time Protection feature has encountered an error and failed.</p>
+<td >
+Windows Defender Real-Time Protection feature has encountered an error and failed.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2276,47 +2227,43 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 Description of the error. </dt>
 <dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>You should restart the system then run a full scan because it's possible the system was not protected for some time.
-</p>
-<p>The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. 
-</p>
-<p>If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
-</p>
+<td >
+You should restart the system then run a full scan because it's possible the system was not protected for some time.
+The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. 
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
 </td>
 </tr>
 <tr>
-<th rowspan="4">Event ID: 3007</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 3007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-</b></p>
+<td >
+<b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.</p>
+<td >
+Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2328,96 +2275,97 @@ Description of the error. </dt>
 </dt>
 <dt>Reason: The reason Windows Defender real-time protection has restarted a feature.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. </p>
+<td >
+The real-time protection feature has restarted. If this event happens again, contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>. 
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5000</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5000</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_ENABLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_ENABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection is enabled.
-</b></p>
+<td >
+<b>Real-time protection is enabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.</p>
+<td >
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5001</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5001</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_DISABLED</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_DISABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Real-time protection is disabled.
-</b></p>
+<td >
+<b>Real-time protection is disabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. </p>
+<td >
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. 
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5004</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5004</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The real-time protection configuration changed.
-</b></p>
+<td >
+<b>The real-time protection configuration changed.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender Real-time Protection feature configuration has changed.</p>
+<td >
+Windows Defender Real-time Protection feature configuration has changed.
 <dl>
 <dt>Feature: &lt;Feature&gt;, for example:
 <ul>
@@ -2429,67 +2377,65 @@ Description of the error. </dt>
 </dt>
 <dt>Configuration: </dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5007</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5007</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_CONFIG_CHANGED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_CONFIG_CHANGED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform configuration changed.</b></p>
+<td >
+<b>The antimalware platform configuration changed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.</p>
+<td >
+Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
 <dl>
 <dt>Old value: &lt;Old value number&gt;
 Old Windows Defender configuration value.</dt>
 <dt>New value: &lt;New value number&gt;
 New Windows Defender configuration value.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="5">Event ID: 5008</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5008</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ENGINE_FAILURE</b></p>
+<td >
+<b>MALWAREPROTECTION_ENGINE_FAILURE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware engine encountered an error and failed.</b></p>
+<td >
+<b>The antimalware engine encountered an error and failed.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender  engine has been terminated due to an unexpected error.</p>
+<td >
+Windows Defender  engine has been terminated due to an unexpected error.
 <dl>
 <dt>Failure Type: &lt;Failure type&gt;, for example:
 Crash
@@ -2497,15 +2443,14 @@ or Hang</dt>
 <dt>Exception Code: &lt;Error code&gt;</dt>
 <dt>Resource: &lt;Resource&gt;</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>To troubleshoot this event:<ol>
+<td >
+To troubleshoot this event:<ol>
 <li>Try to restart the service.<ul>
 <li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li>
 <li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file.
@@ -2514,189 +2459,190 @@ or Hang</dt>
 </li>
 <li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a>  and entering the error number in the <b>Search</b> box, and contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.</li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
 <td>
-<p>User action:</p>
+User action:
 </td>
-<td colspan="2">
-<p>The Windows Defender client engine stopped due to an unexpected error.</p>
-<p>To troubleshoot this event:
+<td >
+The Windows Defender client engine stopped due to an unexpected error.
+To troubleshoot this event:
 <ol>
 <li>Run the scan again.</li>
 <li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li>
 <li>Contact <a href="https://go.microsoft.com/fwlink/?LinkId=215491">Microsoft Technical Support</a>.
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5009</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5009</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_ENABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is enabled.
-</b></p>
+<td >
+<b>Scanning for malware and other potentially unwanted software is enabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software has been enabled.</p>
+<td >
+Windows Defender scanning for malware and other potentially unwanted software has been enabled.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5010</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5010</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_ANTISPYWARE_DISABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Scanning for malware and other potentially unwanted software is disabled.</b></p>
+<td >
+<b>Scanning for malware and other potentially unwanted software is disabled.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender scanning for malware and other potentially unwanted software is disabled.</p>
+<td >
+Windows Defender scanning for malware and other potentially unwanted software is disabled.
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5011</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5011</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b></p>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Scanning for viruses is enabled.</b></p>
+<td >
+<b>Scanning for viruses is enabled.</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses has been enabled. </p>
+<td >
+Windows Defender scanning for viruses has been enabled. 
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5012</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5012</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
-</b></p>
+<td >
+<b>MALWAREPROTECTION_ANTIVIRUS_DISABLED
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>Scanning for viruses is disabled.
-</b></p>
+<td >
+<b>Scanning for viruses is disabled.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>Windows Defender scanning for viruses is disabled. </p>
+<td >
+Windows Defender scanning for viruses is disabled. 
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5100</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5100</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform will expire soon.
-</b></p>
+<td >
+<b>The antimalware platform will expire soon.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description:</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.</p>
+<td >
+Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
 <dl>
 <dt>Expiration Reason: The reason Windows Defender will expire.</dt>
 <dt>Expiration Date: The date Windows Defender will expire.</dt>
 </dl>
-</p>
 </td>
 </tr>
 <tr>
-<th rowspan="3">Event ID: 5101</th>
-<td>
-<p>Symbolic name:</p>
+<th colspan="2">Event ID: 5101</th>
+</tr>
+<tr><td>
+Symbolic name:
 </td>
-<td colspan="2">
-<p><b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-</b></p>
+<td >
+<b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Message:</p>
+Message:
 </td>
-<td colspan="2">
-<p><b>The antimalware platform is expired.
-</b></p>
+<td >
+<b>The antimalware platform is expired.
+</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>Description::</p>
+Description:
 </td>
-<td colspan="2">
-<p>
-<p>Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.</p>
+<td >
+Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
 <dl>
 <dt>Expiration Reason:</dt>
 <dt>Expiration Date: </dt>
@@ -2705,7 +2651,6 @@ Result code associated with threat status. Standard HRESULT values.</dt>
 <dt>Error Description: &lt;Error description&gt;
 Description of the error. </dt>
 </dl>
-</p>
 </td>
 </tr>
 </table>
@@ -2719,58 +2664,52 @@ This section provides the following information about Windows Defender Antivirus
 -   Advice on what to do now
 
 Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
-<table>
+
+
+ <table class="oridealign"> 
 <tr>
-<th colspan="4">External error codes</th>
+<th colspan="2">Error code: 0x80508007</th>
 </tr>
 <tr>
-<th>Error code</th>
-<th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
+<td>Message</td>
+<td>
+<b>ERR_MP_NO_MEMORY </b>
+</td>
 </tr>
 <tr>
 <td>
-<p>0x80508007 
-</p>
+Possible reason
 </td>
 <td>
-<p><b>ERR_MP_NO_MEMORY 
-</b></p>
+This error indicates that you might have run out of memory. 
 </td>
+</tr>
+<tr>
+<td>Resolution</td>
 <td>
-<p>This error indicates that you might have run out of memory. 
-</p>
-</td>
-<td>
-<p>
 <ol>
 <li>Check the available memory on your device.</li>
 <li>Close any unused applications that are running to free up memory on your device.</li>
 <li>Restart the device and run the scan again. 
 </li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x8050800C</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_INPUT_DATA</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x8050800C</p>
+This error indicates that there might be a problem with your security product.
 </td>
-<td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
-</td>
-<td>
-<p>This error indicates that there might be a problem with your security product.</p>
-</td>
-<td rowspan="4">
-<p>
+</tr><tr><td>Resolution</td><td>
 <ol>
 <li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
+<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/>Or,
 </li>
 <li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
+Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.
 </li>
 </ol>
 </li>
@@ -2778,195 +2717,149 @@ Use the information in these tables to help troubleshoot Windows Defender Antivi
 </li>
 <li>Restart the device and try again.</li>
 </ol>
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508020</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_BAD_CONFIGURATION 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508020</p>
-</td>
-<td>
-<p><b>ERR_MP_BAD_CONFIGURATION 
-</b></p>
-</td>
-<td>
-<p>This error indicates that there might be an engine configuration error; commonly, this is related to input 
+This error indicates that there might be an engine configuration error; commonly, this is related to input 
 data that does not allow the engine to function properly. 
-</p>
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x805080211 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_QUARANTINE_FAILED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x805080211 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_QUARANTINE_FAILED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender failed to quarantine a threat. 
-</p>
+This error indicates that Windows Defender failed to quarantine a threat. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508022 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REBOOT_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508022 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REBOOT_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that a reboot is required to complete threat removal. 
-</p>
+This error indicates that a reboot is required to complete threat removal. 
 </td>
 </tr>
 <tr>
-<td rowspan="2">
-<p>0x80508023 
-</p>
+<th colspan="2">
+0x80508023 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_THREAT_NOT_FOUND 
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
+</tr><tr><td>Resolution
 </td>
 <td>
-<p><b>ERR_MP_THREAT_NOT_FOUND 
-</b></p>
-</td>
-<td>
-<p>This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. 
-</p>
-</td>
-<td>
-<p>Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
-</p>
+Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. 
 </td>
 </tr>
 <tr>
-<td rowspan="2">
-<p><b>ERR_MP_FULL_SCAN_REQUIRED 
-</b></p>
-</td>
-<td rowspan="2">
-<p>This error indicates that a full system scan might be required. 
-</p>
-</td>
-<td rowspan="2">
-<p>Run a full system scan. 
-</p>
+<th colspan="2">Error code: 0x80508024 </th></tr>
+<tr>
+<td>Message</td>
+<td><b>ERR_MP_FULL_SCAN_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
+<td>
+This error indicates that a full system scan might be required. 
+</td></tr>
+<tr>
+<td>Resolution</td><td>
+Run a full system scan. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508025 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_MANUAL_STEPS_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508024 
-</p>
+This error indicates that manual steps are required to complete threat removal. 
+</td></tr><tr><td>Resolution</td><td>
+Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508026 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_NOT_SUPPORTED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508025 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_MANUAL_STEPS_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that manual steps are required to complete threat removal. 
-</p>
-</td>
-<td>
-<p>Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.  
-</p>
+This error indicates that removal inside the container type might not be not supported. 
+</td></tr><tr><td>Resolution</td><td>
+Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508027 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508026 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_NOT_SUPPORTED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal inside the container type might not be not supported. 
-</p>
-</td>
-<td>
-<p>Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. 
-</p>
+This error indicates that removal of low and medium threats might be disabled. 
+</td></tr><tr><td>Resolution</td><td>
+Check the detected threats and resolve them as required. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508029 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_RESCAN_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508027 
-</p>
-</td>
-<td>
-<p><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that removal of low and medium threats might be disabled. 
-</p>
-</td>
-<td>
-<p>Check the detected threats and resolve them as required. 
-</p>
+This error indicates a rescan of the threat is required. 
+</td></tr><tr><td>Resolution</td><td>
+Run a full system scan. 
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508030 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_CALLISTO_REQUIRED 
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508029 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_RESCAN_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates a rescan of the threat is required. 
-</p>
-</td>
-<td>
-<p>Run a full system scan. 
-</p>
+This error indicates that an offline scan is required. 
+</td></tr><tr><td>Resolution</td><td>
+Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
+article</a>.
 </td>
 </tr>
 <tr>
+<th colspan="2">Error code: 0x80508031 
+</th>
+</tr><tr><td>Message</td>
+<td><b>ERROR_MP_PLATFORM_OUTDATED  
+</b>
+</td></tr><tr><td>Possible reason</td>
 <td>
-<p>0x80508030 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_CALLISTO_REQUIRED 
-</b></p>
-</td>
-<td>
-<p>This error indicates that an offline scan is required. 
-</p>
-</td>
-<td>
-<p>Run Windows Defender Offline. You can read about how to do this in the <a href="http://windows.microsoft.com/windows/what-is-windows-defender-offline">Windows Defender Offline 
-article</a>.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>0x80508031 
-</p>
-</td>
-<td>
-<p><b>ERROR_MP_PLATFORM_OUTDATED  
-</b></p>
-</td>
-<td>
-<p>This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
-</p>
-</td>
-<td>
-<p>You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
-</p>
+This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+</td></tr><tr><td>Resolution</td><td>
+You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.  
 </td>
 </tr>
 </table>
@@ -2974,349 +2867,330 @@ article</a>.</p>
 <a id="internal-error-codes"></a>
 The following error codes are used during internal testing of Windows Defender AV.
 
-<table>
+If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
+
+
+<table class="oridealign"> 
 <tr>
-<th colspan="4">Internal error codes</th>
+<th colspan="3">Internal error codes</th>
 </tr>
 <tr>
-<th>Error code</th>
+<th><b>Error code</b></th>
 <th>Message displayed</th>
-<th>Possible reason for error</th>
-<th>What to do now</th>
+<th>Possible reason for error and resolution</th>
 </tr>
 <tr>
 <td>
-<p>0x80501004</p>
+0x80501004
 </td>
 <td>
-<p><b>ERROR_MP_NO_INTERNET_CONN 
-</b></p>
+<b>ERROR_MP_NO_INTERNET_CONN 
+</b>
 </td>
 <td>
-<p>Check your Internet connection, then run the scan again.</p>
-</td>
-<td>
-<p>Check your Internet connection, then run the scan again.</p>
+Check your Internet connection, then run the scan again.
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501000</p>
+0x80501000
 </td>
 <td>
-<p><b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E</p>
+<b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E
 </td>
 <td rowspan="34">
-<p>This is an internal error. The cause is not clearly defined.</p>
+This is an internal error. The cause is not clearly defined.
 </td>
 <td rowspan="36">
-<p>
-<ol>
-<li>Update the definitions. Either:<ol>
-<li>Click the <b>Update definitions</b> button on the <b>Update</b> tab in Windows Defender. <img src="images/defender-updatedefs2.png" alt="Update definitions in Windows Defender"/><p>Or,</p>
-</li>
-<li>Download the latest definitions from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a>.
-<p>Note: The size of the definitions file downloaded from the <a href="https://go.microsoft.com/fwlink/?LinkID=200965">Microsoft Malware Protection Center</a> can exceed 60 MB and should not be used as a long-term solution for updating definitions.</p>
-</li>
-</ol>
-</li>
-<li>Run a full scan.
-</li>
-<li>Restart the device and try again.</li>
-</ol>
-</p>
+
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501001</p>
+0x80501001
 </td>
 <td>
-<p><b>ERROR_MP_ACTIONS_FAILED</b></p>
+<b>ERROR_MP_ACTIONS_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501002</p>
+0x80501002
 </td>
 <td>
-<p><b>ERROR_MP_NOENGINE</b></p>
+<b>ERROR_MP_NOENGINE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501003</p>
+0x80501003
 </td>
 <td>
-<p><b>ERROR_MP_ACTIVE_THREATS</b></p>
+<b>ERROR_MP_ACTIVE_THREATS</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x805011011</p>
+0x805011011
 </td>
 <td>
-<p><b>MP_ERROR_CODE_LUA_CANCELLED </b></p>
+<b>MP_ERROR_CODE_LUA_CANCELLED </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501101</p>
+0x80501101
 </td>
 <td>
-<p><b>ERROR_LUA_CANCELLATION </b></p>
+<b>ERROR_LUA_CANCELLATION </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501102</p>
+0x80501102
 </td>
 <td>
-<p><b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b></p>
+<b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501103</p>
+0x80501103
 </td>
 <td>
-<p><b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b></p>
+<b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501104</p>
+0x80501104
 </td>
 <td>
-<p><b>MP_ERROR_CODE_CANCELLED</b></p>
+<b>MP_ERROR_CODE_CANCELLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501105</p>
+0x80501105
 </td>
 <td>
-<p><b>MP_ERROR_CODE_NO_TARGETOS</b></p>
+<b>MP_ERROR_CODE_NO_TARGETOS</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501106</p>
+0x80501106
 </td>
 <td>
-<p><b>MP_ERROR_CODE_BAD_REGEXP</b></p>
+<b>MP_ERROR_CODE_BAD_REGEXP</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501107</p>
+0x80501107
 </td>
 <td>
-<p><b>MP_ERROR_TEST_INDUCED_ERROR</b></p>
+<b>MP_ERROR_TEST_INDUCED_ERROR</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80501108</p>
+0x80501108
 </td>
 <td>
-<p><b>MP_ERROR_SIG_BACKUP_DISABLED</b></p>
+<b>MP_ERROR_SIG_BACKUP_DISABLED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508001</p>
+0x80508001
 </td>
 <td>
-<p><b>ERR_MP_BAD_INIT_MODULES</b></p>
+<b>ERR_MP_BAD_INIT_MODULES</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508002</p>
+0x80508002
 </td>
 <td>
-<p><b>ERR_MP_BAD_DATABASE</b></p>
+<b>ERR_MP_BAD_DATABASE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508004</p>
+0x80508004
 </td>
 <td>
-<p><b>ERR_MP_BAD_UFS </b></p>
+<b>ERR_MP_BAD_UFS </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800C</p>
+0x8050800C
 </td>
 <td>
-<p><b>ERR_MP_BAD_INPUT_DATA</b></p>
+<b>ERR_MP_BAD_INPUT_DATA</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800D</p>
+0x8050800D
 </td>
 <td>
-<p><b>ERR_MP_BAD_GLOBAL_STORAGE</b></p>
+<b>ERR_MP_BAD_GLOBAL_STORAGE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800E</p>
+0x8050800E
 </td>
 <td>
-<p><b>ERR_MP_OBSOLETE</b></p>
+<b>ERR_MP_OBSOLETE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800F</p>
+0x8050800F
 </td>
 <td>
-<p><b>ERR_MP_NOT_SUPPORTED</b></p>
+<b>ERR_MP_NOT_SUPPORTED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050800F
+0x8050800F
 0x80508010
-</p>
 </td>
 <td>
-<p><b>ERR_MP_NO_MORE_ITEMS </b></p>
+<b>ERR_MP_NO_MORE_ITEMS </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508011</p>
+0x80508011
 </td>
 <td>
-<p><b>ERR_MP_DUPLICATE_SCANID</b></p>
+<b>ERR_MP_DUPLICATE_SCANID</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508012</p>
+0x80508012
 </td>
 <td>
-<p><b>ERR_MP_BAD_SCANID</b></p>
+<b>ERR_MP_BAD_SCANID</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508013</p>
+0x80508013
 </td>
 <td>
-<p><b>ERR_MP_BAD_USERDB_VERSION</b></p>
+<b>ERR_MP_BAD_USERDB_VERSION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508014</p>
+0x80508014
 </td>
 <td>
-<p><b>ERR_MP_RESTORE_FAILED</b></p>
+<b>ERR_MP_RESTORE_FAILED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508016</p>
+0x80508016
 </td>
 <td>
-<p><b>ERR_MP_BAD_ACTION</b></p>
+<b>ERR_MP_BAD_ACTION</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508019</p>
+0x80508019
 </td>
 <td>
-<p><b>ERR_MP_NOT_FOUND</b></p>
+<b>ERR_MP_NOT_FOUND</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80509001</p>
+0x80509001
 </td>
 <td>
-<p><b>ERR_RELO_BAD_EHANDLE</b></p>
+<b>ERR_RELO_BAD_EHANDLE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80509003</p>
+0x80509003
 </td>
 <td>
-<p><b>ERR_RELO_KERNEL_NOT_LOADED</b></p>
+<b>ERR_RELO_KERNEL_NOT_LOADED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A001</p>
+0x8050A001
 </td>
 <td>
-<p><b>ERR_MP_BADDB_OPEN</b></p>
+<b>ERR_MP_BADDB_OPEN</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A002</p>
+0x8050A002
 </td>
 <td>
-<p><b>ERR_MP_BADDB_HEADER</b></p>
+<b>ERR_MP_BADDB_HEADER</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A003</p>
+0x8050A003
 </td>
 <td>
-<p><b>ERR_MP_BADDB_OLDENGINE</b></p>
+<b>ERR_MP_BADDB_OLDENGINE</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A004</p>
+0x8050A004
 </td>
 <td>
-<p><b>ERR_MP_BADDB_CONTENT </b></p>
+<b>ERR_MP_BADDB_CONTENT </b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050A005</p>
+0x8050A005
 </td>
 <td>
-<p><b>ERR_MP_BADDB_NOTSIGNED</b></p>
+<b>ERR_MP_BADDB_NOTSIGNED</b>
 </td>
 </tr>
 <tr>
 <td>
-<p>0x8050801</p>
+0x8050801
 </td>
 <td>
-<p><b>ERR_MP_REMOVE_FAILED</b></p>
+<b>ERR_MP_REMOVE_FAILED</b>
 </td>
 <td>
-<p>This is an internal error. It might be triggered when malware removal is not successful. 
-</p>
+This is an internal error. It might be triggered when malware removal is not successful. 
 </td>
 </tr>
 <tr>
 <td>
-<p>0x80508018 
-</p>
+0x80508018 
 </td>
 <td>
-<p><b>ERR_MP_SCAN_ABORTED 
-</b></p>
+<b>ERR_MP_SCAN_ABORTED 
+</b>
 </td>
 <td>
-<p>This is an internal error. It might have triggered when a scan fails to complete. 
-</p>
+This is an internal error. It might have triggered when a scan fails to complete. 
 </td>
 </tr>
 </table>
diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index 661ce72277..79abd8d757 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index d7904ec127..49226c4cf3 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index ae1135c98c..91fc5c207e 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index 39b5a2ad99..306bf240d2 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 5a534796e0..49d63c897a 100644
--- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6bef064955..84504a1aae 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -8,8 +8,10 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index bcce59abef..8b27b216a4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus
-description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -8,20 +8,21 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
-# Windows Defender Antivirus in Windows 10
+# Windows Defender Antivirus in Windows 10 and Windows Server 2016
 
 **Applies to**
 -   Windows 10
+-   Windows Server 2016
 
 Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
 
 This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
 
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
 
 Windows Defender AV can be managed with:
 - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
@@ -57,14 +58,14 @@ See the [In this library](#in-this-library) list at the end of this topic for li
 <a id="sysreq"></a>
 ## Minimum system requirements
 
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
 -   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
 -   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
 
 
 Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
 
-Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
+Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
 
 
 
@@ -73,10 +74,13 @@ Functionality, configuration, and management is largely the same when using Wind
 
 Topic | Description
 :---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place
+[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions
+[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection
+[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
+[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
 [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
 [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b3305b6b1c..f15f7b81a6 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Antivirus on Windows Server 2016
-description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+description: Enable and configure Windows Defender AV on Windows Server 2016 
 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -8,12 +8,12 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
 
-# Windows Defender Antivirus on Windows Server
+# Windows Defender Antivirus on Windows Server 2016
 
 
 **Applies to:**
@@ -36,15 +36,124 @@ author: iaanw
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
-See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
-
 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
 
 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
 - In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
 
+This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
+
+-   [Enable the interface](#BKMK_UsingDef)
+
+-   [Verify Windows Defender AV is running](#BKMK_DefRun)
+
+-   [Update antimalware definitions](#BKMK_UpdateDef)
+
+-   [Submit Samples](#BKMK_DefSamples)
+
+-   [Configure automatic exclusions](#BKMK_DefExclusions)
+
+<a name="BKMK_UsingDef"></a>
+## Enable the interface
+By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. 
+
+You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic.
+
+The following PowerShell cmdlet will enable the interface: 
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender-GUI
+```
+
+The following cmdlet will disable the interface:
+
+```PS
+Uninstall-WindowsFeature -Name Windows-Server-Antimalware
+```
+
+> [!TIP]
+> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+
+
+<a name="BKMK_DefRun"></a>
+## Verify Windows Defender is running
+To verify that Windows Defender AV is running on the server, run the following command from a command prompt: 
+
+```DOS
+sc query Windefend
+```
+
+The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`.
+
+<a name="BKMK_UpdateDef"></a>
+## Update antimalware definitions
+In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage.
+
+By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
+
+-   **Windows Update** in Control Panel.
+
+    -   **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+-   **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**
+
+-   The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates.
+
+    -   **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates.
+
+    -   **3** Download updates but let me choose whether to install them.  This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+To ensure that protection from malware is maintained, we recommend that you enable the following services:
+
+-   Windows Defender Network Inspection service
+
+-   Windows Error Reporting service
+
+-   Windows Update service
+
+The following table lists the services for Windows Defender and the dependent services.
+
+|Service Name|File Location|Description|
+|--------|---------|--------|
+|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
+|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
+|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
+
+
+
+<a name="BKMK_DefSamples"></a>
+## Submit Samples
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions.
+
+We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Enable automatic sample submission
+
+-   To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
+
+    -   **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
+
+    -   **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
+
+    -   **2** Never send. The Windows Defender service does not prompt and does not send any files.
+
+    -   **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+
+<a name="BKMK_DefExclusions"></a>
+## Configure automatic exclusions
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+
+See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. 
+
+
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
\ No newline at end of file
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) 
+
+
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index af07823d3a..4672b5eff4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 2a053cc803..107ae34521 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
@@ -44,7 +44,7 @@ Settings that were previously part of the Windows Defender client and main Windo
 >This will significantly lower the protection of your device and could lead to malware infection.
 
 
-See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
 
 >[!NOTE]
 >The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index e32f2b9d8d..3e2f82bcdc 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Turn on advanced features in Windows Defender ATP
 
@@ -27,14 +28,25 @@ Turn on the following advanced features to get better protected from potentially
 ## Block file
 This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
 
-If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
 
-## Office 365 Security Center integration
+## Show user details
+When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
+- Dashboard
+- Alert queue
+- Machine details page
+
+For more information, see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
+
+## Skype for Business integration
+Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
+
+## Office 365 Threat Intelligence connection
 This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
 
 When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
 
-
+## Enable advanced features
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
 3. Click **Save preferences**.
@@ -43,3 +55,5 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 5ae7bf350c..c56729bba8 100644
--- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # View and organize the Windows Defender Advanced Threat Protection Alerts queue
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 78add1c8f2..bec8ac80d7 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender ATP alert API fields
diff --git a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 429ac0c65b..8084be4e84 100644
--- a/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Assign user access to the Windows Defender ATP portal
diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index eba6caa7cc..ff45bb42eb 100644
--- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Check sensor health state in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index 385a17c7b8..df4b70e28a 100644
--- a/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure HP ArcSight to pull Windows Defender ATP alerts
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 494eb84889..97bfb2b0af 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure email notifications in Windows Defender ATP
@@ -71,3 +72,5 @@ This section lists various issues that you may encounter when using email notifi
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 8fd5e8aa13..d544e11c73 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure endpoints using Group Policy
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index a17a666708..2c8aed6960 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure endpoints using Mobile Device Management tools
@@ -105,7 +106,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
-    a.  Select **Endpoint management** on the **Navigation pane**.
+    a.  Select **Endpoint management** > **Client management** on the **Navigation pane**.
 
     b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
 
@@ -123,30 +124,44 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 
   ![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
 
-4. Type a name, description and choose **Windows 10 and later** as the Platform and **Windows Defender ATP (Windows 10 Desktop)** as the Profile type.
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
 
-  ![Image of naming a policy](images/atp-azure-intune-create-policy-configure.png)
+  ![Image of naming a policy](images/atp-intune-custom.png)
 
 7. Click **Settings** > **Configure**.
 
-  ![Image of settings](images/atp-azure-intune-settings-configure.png)
+  ![Image of settings](images/atp-intune-configure.png)
 
-8. Click the folder icon and select the WindowsDefenderATP.onboarding file you extracted earlier. Configure whether you want to allow sample collection from endpoints for [Deep Analysis](investigate-files-windows-defender-advanced-threat-protection.md) by choosing **All**, or disable this feature by choosing **None**. When complete, click **OK**.
+8. Under Custom OMA-URI Settings, click **Add**.
 
-  ![Image of configuration settings](images/atp-azure-intune-configure.png)
+  ![Image of configuration settings](images/atp-custom-oma-uri.png)
 
-9. Click **Create**.
+9. Enter the following values, then click **OK**.
 
-  ![Image of profile creation](images/atp-azure-intune-create.png)
+  ![Image of profile creation](images/atp-oma-uri-values.png)
 
-10. Search for and select the Group you want to apply the Configuration Policy to, then click **Select**.
+  - **Name**: Type a name for the setting.
+  - **Description**: Type a description for the setting.
+  - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+  - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
 
-  ![Image of select groups to apply configuration policy](images/atp-azure-intune-select-group.png)
+10. Save the settings by clicking **OK**.
+  
+11. Click **Create**.
 
-11. Click **Save** to finish deploying the Configuration Policy.
+  ![Image of the policy being created](images/atp-intune-create-policy.png)
 
-  ![Image of the policy being saved](images/atp-azure-intune-save-policy.png)
+12. To deploy the Profile, click **Assignments**. 
 
+  ![Image of groups](images/atp-intune-assignments.png)
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+  ![Image of groups](images/atp-intune-group.png)
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+  ![Image of deployment](images/atp-intune-save-deployment.png)
 
 ### Offboard and monitor endpoints
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 1976fb8703..59794d532f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure endpoints using System Center Configuration Manager
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 1bde6ab2f6..0f47beb693 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure endpoints using a local script
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index 73d4781fa1..f0e8bcee5c 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Windows Defender ATP endpoints
diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index c497229e55..1a162b7913 100644
--- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index 5bd33553ac..7b1168f940 100644
--- a/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Pull alerts to your SIEM tools
diff --git a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index 24412f45b9..f698a6aeb3 100644
--- a/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Configure Splunk to pull Windows Defender ATP alerts
diff --git a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index c801b3feab..9a12691b2c 100644
--- a/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create custom alerts using the threat intelligence (TI) application program interface (API)
diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
index 07eb913511..6c6ffef9ba 100644
--- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # View the Windows Defender Advanced Threat Protection Dashboard
diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index ad99762845..740f5bfac2 100644
--- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender ATP data storage and privacy
diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index a10edb15c5..4a0d314348 100644
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender compatibility
diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 588dc98570..000296d697 100644
--- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Enable the custom threat intelligence API in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 53cc303fdd..13f4d9520a 100644
--- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Enable SIEM integration in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index c32cb54316..cea3a9d683 100644
--- a/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: iawilt
 author: iaanw
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index a74dd4b020..ebd6f01e25 100644
--- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Experiment with custom threat intelligence (TI) alerts
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 8b5493c587..ec792a86dc 100644
--- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Fix unhealthy sensors in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index aca26a9b12..4e1390a814 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Update general Windows Defender ATP settings
 
@@ -34,5 +35,7 @@ During the onboarding process, a wizard takes you through the general settings o
 
 ## Related topics
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
-- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
index b2380e0236..bc0275c622 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png
index 9c41b16d73..7bb3ec3bb5 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-create-profile.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png
index 4d1885054b..acf42ec448 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-intune-device-config.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png b/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png
new file mode 100644
index 0000000000..8c3b8b4deb
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png
new file mode 100644
index 0000000000..614424a2ae
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-custom-oma-uri.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png
new file mode 100644
index 0000000000..11c2bf608b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-assignments.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png
new file mode 100644
index 0000000000..90f5b5b557
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-configure.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png
new file mode 100644
index 0000000000..3e486c0565
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-create-policy.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png
new file mode 100644
index 0000000000..c846a207df
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-custom.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png
new file mode 100644
index 0000000000..345a260612
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-group.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png
new file mode 100644
index 0000000000..e71db86d17
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-intune-save-deployment.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png
index 6be87715e9..b97c524a43 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png and b/windows/threat-protection/windows-defender-atp/images/atp-mdm-onboarding-package.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png b/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png
new file mode 100644
index 0000000000..b330f34ac1
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png
new file mode 100644
index 0000000000..bad96b9438
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-oma-uri-values.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index c621085545..22cb47ce0e 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Investigate Windows Defender Advanced Threat Protection alerts
diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index b107b3b042..bb040b50a1 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Investigate a domain associated with a Windows Defender ATP alert
 
diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index ebf5a67b89..60f65b2052 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Investigate a file associated with a Windows Defender ATP alert
 
diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index b531ee93f6..486af0335d 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Investigate an IP address associated with a Windows Defender ATP alert
 
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 435dc1a3c2..2a4675f3c4 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 9f45aa0817..3fad51eada 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Investigate a user account in Windows Defender ATP
 
diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index ddcf2f5185..a36ea1a0a9 100644
--- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # View and organize the Windows Defender ATP Machines list
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 9dd0f7d8b2..fb191cc3b3 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Manage Windows Defender Advanced Threat Protection alerts
@@ -56,7 +57,7 @@ Windows Defender ATP lets you create suppression rules so you can limit the aler
 
 Suppression rules can be created from an existing alert.
 
-When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
 
 There are two contexts for a suppression rule that you can choose from:
 
@@ -65,20 +66,38 @@ There are two contexts for a suppression rule that you can choose from:
 
 The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
 
-**Context** | **Definition** |**Example scenarios**
----|---|---
-**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>
-**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>
+| **Context**                           | **Definition**                                                                                                                                              | **Example scenarios**                                                                                                                                                                                                  |
+|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Suppress alert on this machine**    | Alerts with the same alert title and on that specific machine only will be suppressed. <br /><br />All other alerts on that machine will not be suppressed. | <ul><li>A security researcher is investigating a malicious script that has been used to attack other machines in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul> |
+| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed.                                                                                         | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>                                                                                                                               |
 
 
-**Suppress an alert and create a suppression rule:**
+### Suppress an alert and create a new suppression rule:
+Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert. 
 
 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
-2. Scroll down to the **Supression rules** section.
-3. Choose the context for suppressing the alert.
 
-> [!NOTE]
-> You cannot create a custom or blank suppression rule. You must start from an existing alert.
+2. Scroll down to the **Create a supression rule** section.
+
+    ![Image of alert status](images/atp-create-suppression-rule.png)
+
+3. Choose the context for suppressing the alert.
+  
+    ![Image of alert status](images/atp-new-suppression-rule.png)
+
+  > [!NOTE]
+  > You cannot create a custom or blank suppression rule. You must start from an existing alert.
+4. Specify the conditions for when the rule is applied:
+  - Alert title
+  - Indicator of compromise (IOC)
+  - Suppression conditions
+
+    > [!NOTE]
+    > The SHA1 of the alert cannot be modified
+5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
+
+6. Click **Save and close**.
+
 
 **See the list of suppression rules:**
 
diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 82efa42cc1..34e836f47e 100644
--- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: iawilt
 author: iaanw
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Minimum requirements for Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 0acb1a9351..b433fffe39 100644
--- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: iaanw
-localizationpriority: high
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
 ---
 
 # Onboard and set up Windows Defender Advanced Threat Protection
diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index 6104ea6ffb..6105da4bd7 100644
--- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender Advanced Threat Protection portal overview
diff --git a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index c34193f76e..68be48aa4f 100644
--- a/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # PowerShell code examples for the custom threat intelligence API
diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index e2904380b5..66b0319b67 100644
--- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Configure Windows Defender ATP preferences settings
 
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 8ae02a81bb..8a3c2389d9 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Turn on the preview experience in Windows Defender ATP
 
@@ -29,3 +30,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
 - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
 - [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 8fb19c7e1a..4347ed4f8c 100644
--- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender ATP preview features
diff --git a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 2c68f00d27..38e72858dc 100644
--- a/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Pull Windows Defender ATP alerts using REST API
diff --git a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index dc44b7cbea..d9602489d5 100644
--- a/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Python code examples for the custom threat intelligence API
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 220ed86e05..7f69b9369f 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Take response actions on a file
diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index d0c899983f..3c8baf58e6 100644
--- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Take response actions on a machine
diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 597cefb9a1..eef6296540 100644
--- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Take response actions in Windows Defender ATP
diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 088b4ed61a..edd9a3e180 100644
--- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Check the Windows Defender Advanced Threat Protection service health
diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
index caaafb618e..6dd42769f1 100644
--- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: DulceMV
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender Advanced Threat Protection settings
diff --git a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index d1968d5761..c5cc1addec 100644
--- a/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Understand threat intelligence concepts
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index 40fc971abf..1d8d5a0b52 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Troubleshoot custom threat intelligence issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index a43f5f374c..8575f7b937 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index c782fef5df..0a66cc942d 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Troubleshoot SIEM tool integration issues
diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 088a82e8d9..5bb2935a52 100644
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 # Troubleshoot Windows Defender Advanced Threat Protection
 
diff --git a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index ba2be9225a..d4e2d80927 100644
--- a/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use the threat intelligence API to create custom alerts
diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 6b8436e6ef..3c7f06e779 100644
--- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Use the Windows Defender Advanced Threat Protection portal
diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 8f73a17944..512dd52132 100644
--- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -7,8 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.author: macapara
 author: mjcaparas
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender Advanced Threat Protection
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index f8376c934c..84618a3d06 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-localizationpriority: medium
+ms.localizationpriority: medium
 author: iaanw
 ---
 
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 506e512699..957fc1f33b 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 9b1db90c72..9f850fbb1d 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Windows Defender SmartScreen
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index e611009fcf..45117e0ad1 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Set up and use Windows Defender SmartScreen on individual devices
diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
index 6f41240d2b..5e1df99718 100644
--- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 9316b2ab60..2b6985d243 100644
--- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # How to collect Windows Information Protection (WIP) audit event logs
diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 76d9d3a63c..50bf85a578 100644
--- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 15e17ff463..e4edc3e586 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
index 043f638474..7b54968b51 100644
--- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 5726426cf1..6f9d99a876 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
@@ -364,7 +364,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 ### Define your enterprise-managed corporate identity
 Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
 
-Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
 
 **To change your corporate identity**
 
@@ -372,7 +372,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 
     The **Required settings** blade appears.
 
-2.	If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
+2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
 
     ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index cbdd0a70de..2f74bae405 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -1,5 +1,5 @@
 ---
-title: Create a Windows Information Protection (WIP) with enrollment policy using the classic console for Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10)
 description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
 ms.prod: w10
@@ -7,10 +7,10 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
-# Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune
+# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
 
 **Applies to:**
 
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index d8a879c4d2..16465baf1b 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 60eb44c676..b953181936 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index a3b19da3c4..1cdad28951 100644
--- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 159440b9aa..3694e13ba8 100644
--- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
index af85cdebaf..73eddd870d 100644
--- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # General guidance and best practices for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
index 1481a21f0d..c2274ee1e8 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png differ
diff --git a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
index 4bbd91028f..a1e3ed0c57 100644
Binary files a/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and b/windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png differ
diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
index 18971e3fe1..67b6897a16 100644
--- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Limitations while using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
index dfd5630dc2..d810066027 100644
--- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
index caf17860ce..428c25c20d 100644
--- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Create a Windows Information Protection (WIP) policy
diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 19071542aa..934aa9ae7c 100644
--- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index f07d6ab555..418c24c0ef 100644
--- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
index a46e4231ad..0c5aff23c1 100644
--- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Testing scenarios for Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
index d60d0bf4ad..e2aacd97c4 100644
--- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Using Outlook on the web with Windows Information Protection (WIP)
diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
index c3c1f07f56..fbf77802f5 100644
--- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index c963eb975e..460964a3ed 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -31,7 +31,7 @@ If you've previously contributed to topics in the Microsoft repositories, congra
     ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 5.	Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
-    - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
+    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
     
     - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) 
 
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index e0bd472d86..8f5712038b 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -5,7 +5,7 @@ ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
 ms.prod: w10
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 09d1e54940..bfb93ebeb4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10, versions 1507 and 1511
@@ -201,7 +201,7 @@ Event ID 6416 has been added to track when an external device is detected throug
 The following sections describe the new and changed functionality in the TPM for Windows 10:
 -   [Device health attestation](#bkmk-dha)
 -   [Microsoft Passport](/windows/access-protection/hello-for-business/hello-identity-verification) support
--   [Device Guard](/windows/access-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
+-   [Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) support
 -   [Credential Guard](/windows/access-protection/credential-guard/credential-guard) support
 
 ### <a href="" id="bkmk-dha"></a>Device health attestation
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 07612029c5..982900b337 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: TrudyHa
-localizationpriority: high
+ms.localizationpriority: high
 ---
 
 # What's new in Windows 10, version 1607
@@ -31,13 +31,13 @@ Windows ICD now includes simplified workflows for creating provisioning packages
 
 [Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
 
-### Windows Upgrade Analytics
+### Windows Upgrade Readiness
 
-Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
 
-With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
 
-Use Upgrade Analytics to get:
+Use Upgrade Readiness to get:
 
 - A visual workflow that guides you from pilot to production
 - Detailed computer and application inventory
@@ -47,9 +47,9 @@ Use Upgrade Analytics to get:
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
 - Data export to commonly used software deployment tools
 
-The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are upgrade-ready.
 
-[Learn more about planning and managing Windows upgrades with Windows Upgrade Analytics.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-analytics)
+[Learn more about planning and managing Windows upgrades with Windows Upgrade Readiness.](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
 
 ## Windows updates
 
@@ -102,7 +102,7 @@ Several new features and management options have been added to Windows Defender
 
 - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
 - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-block-at-first-sight) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
 - [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal.
 - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus).
 - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index f819d4326c..f9ecc8bc12 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,12 +1,12 @@
 ---
-title: What's in Windows 10, version 1703
+title: What's new in Windows 10, version 1703
 description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: JasonGerend
-localizationpriority: high
+ms.localizationpriority: high
 ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
@@ -151,7 +151,7 @@ You can read more about ransomware mitigations and detection capability in Windo
 ### Device Guard and Credential Guard
 
 Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](/windows/access-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard//credential-guard-requirements#security-considerations).
+For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
 
 ### Group Policy Security Options
 
@@ -171,9 +171,9 @@ For Windows desktops, users are able to reset a forgotten PIN through **Settings
 For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
 
 ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
 
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
 
 ## Update
 
@@ -295,6 +295,37 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
    - Set Ethernet port properties
    - Set proxy properties for the Ethernet port
 
+## Miracast on existing wireless network or LAN
+
+In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx).
+
+Miracast over Infrastructure offers a number of benefits:
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+
+### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+### Enabling Miracast over Infrastructure 
+
+If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703.
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. 
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
+
+It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
 ## New features in related products
 The following new features aren't part of Windows 10, but help you make the most of it.