diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index d8e96bc586..8f10c8e96a 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,59 +1,64 @@
-{ 
+{
 "redirections": [
 {
+"source_path": "windows/device-security/windows-security-baselines.md",
+"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
+"redirect_document_id": false 
+},
+{
 "source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
 "redirect_url": "/education/windows/switch-to-pro-education",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
 "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
-"redirect_document_id": false 
+"redirect_document_id": false
 },
 {
 "source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
-"redirect_document_id": false 
+"redirect_document_id": false
 },
 {
 "source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/windows-defender-in-windows-10.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md",
 "redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus",
-"redirect_document_id": true 
+"redirect_document_id": true
 },
 {
 "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
@@ -535,7 +540,7 @@
 "redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection",
 "redirect_document_id": true
 },
-{ 
+{
 "source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md",
 "redirect_url": "https://technet.microsoft.com/library/jj635854.aspx",
 "redirect_document_id": true
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index b658a09d5d..a24d9b1905 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -11,6 +11,12 @@ localizationpriority: medium
 
 # What's new in Windows 10, version 1703 for Microsoft Surface Hub?
 
+Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update). 
+
+<a href="http://www.youtube.com/watch?feature=player_embedded&v=R8tX10VIgq0
+" target="_blank"><img src="http://img.youtube.com/vi/R8tX10VIgq0/0.jpg" 
+alt="Watch a video about Creators Update on Surface Hub" width="240" height="180" border="10" /></a>
+
 Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
 
 ## New settings
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 056064b880..39d7708dde 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -44,7 +44,7 @@ This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
 
 Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur.
 
-The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command.
+The following command modifiers are available. Commands terminate with a new line character (\n). Responses can come at any time in response to state changes not triggered directly by a management port command.
 
 | Modifier | Result |
 | --- | --- |
diff --git a/education/index.md b/education/index.md
index 0bb10155b3..3f8576dfca 100644
--- a/education/index.md
+++ b/education/index.md
@@ -207,6 +207,25 @@ author: CelesteDG
                                     </div>
                                 </a>
                             </li>
+                            <li>
+                                <a href="/education/windows/use-set-up-school-pcs-app">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up School PCs</h3>
+                                                    <p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
                         </ul>
                     </li>
                 </ul>
@@ -331,6 +350,25 @@ author: CelesteDG
                                     </div>
                                 </a>
                             </li>
+                            <li>
+                                <a href="/education/windows/use-set-up-school-pcs-app">
+                                    <div class="cardSize">
+                                        <div class="cardPadding">
+                                            <div class="card">
+                                                <div class="cardImageOuter">
+                                                    <div class="cardImage bgdAccent1"> 
+                                                        <img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
+                                                    </div>
+                                                </div>
+                                                <div class="cardText">
+                                                    <h3>Set up School PCs</h3>
+                                                    <p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
+                                                </div>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </a>
+                            </li>
                         </ul>
                     </li>
                 </ul>
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 897f7df8c4..715ba27c8a 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -64,7 +64,7 @@ You can configure Windows through provisioning or management tools including ind
 
 You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
 - [Set up School PCs](use-set-up-school-pcs-app.md)
-- Intune for Education (coming soon)
+- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings)
 
 ## AllowCortana
 **AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana). 
@@ -145,7 +145,7 @@ Provide an ad-free experience that is a safer, more private search option for K
 ### Configurations
 
 #### IP registration for entire school network using Microsoft Edge
-Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
+Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
 
 **District information**
 - **District or School Name:**
diff --git a/education/windows/index.md b/education/windows/index.md
index 49ea89c1eb..9d3f183b1d 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -44,7 +44,7 @@ author: CelesteDG
 <p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
 <p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
 
-### ![Switch to Windows 10 for Education](images/windows.png) Switch
+## ![Switch to Windows 10 for Education](images/windows.png) Switch
 
 <p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
 
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 7c998c3e0b..39f0826ba4 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant:
 
     ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png)
 
-- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time.
+- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
 
     In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. 
 
diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md
index e5affe8444..a42e464435 100644
--- a/education/windows/switch-to-pro-education.md
+++ b/education/windows/switch-to-pro-education.md
@@ -159,7 +159,7 @@ Once you enable the setting to switch to Windows 10 Pro Education, the switch wi
 
 **To turn on the automatic switch to Windows 10 Pro Education**
 
-1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account.
+1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
 
   If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
 
@@ -341,7 +341,7 @@ Once the automatic switch to Windows 10 Pro Education is turned off, the change
 
 **To roll back Windows 10 Pro Education to Windows 10 Pro**
 
-1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
+1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
 
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
index e2266ea8a6..637220cb67 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business
 - Switzerland
 - United Kingdom
 
-These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps.  
+These countries can provide their VAT number or local equivalent in **Payments & billing**.   
 
 |Market| Tax identifier |
 |------|----------------|
-| Brazil | CPNJ (required), CCMID  (optional) |
-| India | CST ID, VAT ID |
-| Taiwan | Unified business number|
+| Brazil | CNPJ (required) |
+| India | CST ID, VAT ID (both are optional) |
+| Taiwan | VAT ID (optional) |
 
 ### Tax-exempt status 
 
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
index 92902b6347..0edcf1dfa2 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set
 
 Microsoft Store for Business and Education is currently available in these markets.
 
+<!--- <table>
+   <tr>
+        <th align="center" colspan="4">Support for free and paid apps</th>
+   </tr>
+   <tr align="left">
+     <td>
+        <ul>
+            <li>Algeria</li>
+            <li>Angola</li>
+            <li>Argentina</li>
+            <li>Australia</li>
+            <li>Austria</li>
+            <li>Bahamas</li>
+            <li>Bahrain</li>
+            <li>Bangladesh</li>
+            <li>Barbados</li>
+            <li>Belgium</li>
+            <li>Belize</li>
+            <li>Bermuda</li>
+            <li>Bhutan</li>
+            <li>Bolivia</li>
+            <li>Botswana</li>
+            <li>Brunei Darussalam</li>
+            <li>Bulgaria</li>
+            <li>Cambodia</li>
+            <li>Cameroon</li>
+            <li>Canada</li>
+            <li>Republic of Cabo Verde</li>
+            <li>Cayman Islands</li>
+            <li>Chile</li>
+            <li>Colombia</li>
+            <li>Costa Rica</li>
+            <li>C&ocirc;te D'ivoire</li>
+            <li>Croatia</li>
+            <li>Cur&ccedil;ao</li>
+            <li>Cyprus</li>
+        </ul>
+    </td>
+     <td>
+        <ul>
+            <li>Czech Republic</li>
+            <li>Denmark</li>
+            <li>Dominican Republic</li>
+            <li>Ecuador</li>
+            <li>Egypt</li>
+            <li>El Salvador</li>
+            <li>Estonia</li>
+            <li>Faroe Islands</li>
+            <li>Fiji</li>
+            <li>Finland</li>
+            <li>France</li>
+            <li>Germany</li>
+            <li>Ghana</li>
+            <li>Greece</li>
+            <li>Guadeloupe</li>
+            <li>Guatemala</li>
+            <li>Honduras</li>
+            <li>Hong Kong SAR</li>
+            <li>Hungary</li>
+            <li>Iceland</li>
+            <li>Indonesia</li>
+            <li>Iraq</li>
+            <li>Ireland</li>
+            <li>Israel</li>
+            <li>Italy</li>
+            <li>Jamaica</li>
+            <li>Japan</li>
+            <li>Jordan</li>
+            <li>Kenya</li> 
+        </ul>
+    </td>
+    <td>
+        <ul>
+            <li>Kuwait</li>
+            <li>Latvia</li>
+            <li>Lebanon</li>
+            <li>Libya</li>
+            <li>Liechtenstein</li>
+            <li>Lithuania</li>
+            <li>Luxembourg</li>
+            <li>Malaysia</li>
+            <li>Malta</li>
+            <li>Mauritius</li>
+            <li>Mexico</li>
+            <li>Mongolia</li>
+            <li>Montenegro</li>
+            <li>Morocco</li>
+            <li>Mozambique</li>
+            <li>Namibia</li>
+            <li>Netherlands</li>
+            <li>New Zealand</li>
+            <li>Nicaragua</li>
+            <li>Nigeria</li>
+            <li>Norway</li>
+            <li>Oman</li>
+            <li>Pakistan</li>
+            <li>Palestinian Authority</li>
+            <li>Panama</li>
+            <li>Paraguay</li>
+            <li>Peru</li>
+            <li>Philippines</li>
+            <li>Poland</li>          
+        </ul>
+    </td>
+    <td>
+        <ul>
+            <li>Portugal</li>
+            <li>Puerto Rico</li>
+            <li>Qatar</li>
+            <li>Romania</li>
+            <li>Rwanda</li>
+            <li>Saint Kitts and Nevis</li>
+            <li>Saudi Arabia</li>
+            <li>Senegal</li>
+            <li>Serbia</li>
+            <li>Singapore</li>
+            <li>Slovakia</li>
+            <li>Slovenia</li>
+            <li>South Africa</li>
+            <li>Spain</li>
+            <li>Sweden</li>
+            <li>Switzerland</li>
+            <li>Tanzania</li>
+            <li>Thailand</li>
+            <li>Trinidad and Tobago</li>
+            <li>Tunisia</li>
+            <li>Turkey</li>
+            <li>Uganda</li>
+            <li>United Arab Emirates</li>
+            <li>United Kingdom</li>
+            <li>United States</li>           
+        </ul>
+    </td>
+    <td>
+        <ul>
+            <li>Uruguay</li>
+            <li>Viet Nam</li>
+            <li>Virgin Islands, U.S.</li>
+            <li>Zambia</li>
+            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
+        </ul>
+    </td>
+   </tr>
+</table>
+
+<table>
+   <tr>
+        <th align="center">Support for free apps only</th>
+   </tr>
+   <tr align="left">
+     <td>
+        <ul>
+            <li>Russia</li>
+        </ul>
+    </td>
+   </tr>
+</table>
+
+<table>
+   <tr>
+        <th align="center">Support for free apps and Minecraft: Education Edition</th>
+   </tr>
+   <tr align="left">
+     <td>
+        <ul>
+            <li>Albania</li>
+            <li>Armenia</li>
+            <li>Azerbaijan</li>
+            <li>Belarus</li>
+            <li>Bosnia</li>
+            <li>Brazil</li>
+            <li>Georgia</li>
+            <li>India</li>
+            <li>Kazakhstan</li>
+            <li>Korea</li>
+            <li>Kyrgyzstan</li>
+            <li>Moldova</li>
+            <li>Taiwan</li>
+            <li>Tajikistan</li>
+            <li>Turkmenistan</li>
+            <li>Ukraine</li>
+            <li>Uzbekistan</li>
+        </ul>
+    </td>
+   </tr>
+</table> -->
+### Support for free and paid apps
 <table>
    <tr>
         <th align="center" colspan="4">Support for free and paid apps</th>
@@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
    </tr>
 </table>
 
-<table>
-   <tr>
-        <th align="center">Support for free apps only</th>
-   </tr>
-   <tr align="left">
-     <td>
-        <ul>
-            <li>Brazil</li>
-            <li>India</li>
-            <li>Russia</li>
-            <li>Taiwan</li>
-            <li>Ukraine</li>
-        </ul>
-    </td>
-   </tr>
-</table>
+### Support for free apps
+Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
+- India
+- Russia 
+
+### Support for free apps and Minecraft: Education Edition
+Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:  
+- Brazil
+- Taiwan
+- Ukraine 
+
+This table summarize what customers can purchase, depending on which Microsoft Store they are using. 
+
+| Store | Free apps | Minecraft: Education Edition |
+| ----- | --------- | ---------------------------- |
+| Microsoft Store for Business | supported | not supported |
+| Microsoft Store for Education | supported | supported; invoice payment required |
+
+> [!NOTE]
+> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition**
+- Admins can acquire free apps from **Microsoft Store for Education**.
+- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). 
+- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. 
 
 ## Privacy notice
 
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index 130251d4b2..c5c53ac5e6 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -189,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti
 8.	Right-click the **Registry** node and click **New**.
 9.	In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
 10.	For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
+
     HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config  
+
     Click **Select** to close the **Registry Item Browser**.
-11.	The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
+    
+11.	The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
 
     ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
     
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index 120dc8ffe8..57e0175c71 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -9,5 +9,5 @@
 ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
-## [Mobile Device Management](mdm/index.md)
+## [Mobile device management protocol](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index a7c3befabe..69f6f73aa0 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -191,7 +191,7 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
 ## Use Windows Store for Business
 
 
-[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
+[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
 
 ![company tab on store](images/aadjwsfb.jpg)
 
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 35f400979f..45051db6b8 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -141,6 +141,8 @@
 #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
 #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
 ### [FileSystem CSP](filesystem-csp.md)
+### [Firewall CSP](firewall-csp.md)
+#### [Firewall DDF file](firewall-ddf-file.md)
 ### [HealthAttestation CSP](healthattestation-csp.md)
 #### [HealthAttestation DDF](healthattestation-ddf.md)
 ### [HotSpot CSP](hotspot-csp.md)
@@ -196,6 +198,8 @@
 #### [SUPL DDF file](supl-ddf-file.md)
 ### [SurfaceHub CSP](surfacehub-csp.md)
 #### [SurfaceHub DDF file](surfacehub-ddf-file.md)
+### [TPMPolicy CSP](tpmpolicy-csp.md)
+#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
 ### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
 #### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
 ### [Update CSP](update-csp.md)
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index d7d5beca50..308b678f24 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -671,7 +671,7 @@ The following example is provided to show proper format and should not be taken
 	<CmdID>110</CmdID>
 	<Item>
 		<Target>
-			<LocURI>./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption</LocURI>
+			<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
 		</Target>
 		<Meta>
 			<Format xmlns="syncml:metinf">int</Format>
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index f92fff6839..a6d30377d2 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -11,6 +11,9 @@ author: nickbrower
 
 # Configuration service provider reference
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
 
 For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). 
@@ -1148,6 +1151,34 @@ The following tables show the configuration service providers support in Windows
 <!--EndSKU-->
 <!--EndCSP-->
 
+<!--StartCSP-->
+[Firewall CSP](firewall-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [HealthAttestation CSP](healthattestation-csp.md)  
 
@@ -2016,6 +2047,34 @@ The following tables show the configuration service providers support in Windows
 <!--EndSKU-->
 <!--EndCSP-->
 
+<!--StartCSP-->
+[TPMPolicy CSP](tpmpolicy-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)  
 
@@ -2330,7 +2389,8 @@ The following tables show the configuration service providers support in Windows
 
  Footnotes: 
 - 1 - Added in Windows 10, version 1607
-- 2 - Added in Windows 10, version 1703
+- 2 - Added in Windows 10, version 1703  
+- 3 - Added in the next major update to Windows 10  
 
 > [!Note]  
 > You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
index 069a8486f3..ed4d8e0a6e 100644
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@@ -16,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
 
 > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
 
- 
 
-For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
+To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). 
 
 The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
 
@@ -44,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an
 
 When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters.
 
- 
+Entry | Description
+----------- | ------------
+ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.
+ActionCenter | Example: `<ActionCenter enabled="true"></ActionCenter>`
+ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled;  **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)
+ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>`
+ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>`
+StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx. **Large** - sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.
+StartScreenSize | If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
+Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).
+Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>`
+Application | <img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
+Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically.
+
+Application example:
+``` syntax
+<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
+   <PinToStart>
+      <Size>Large</Size>
+      <Location>
+         <LocationX>0</LocationX>
+         <LocationY>2</LocationY>
+      </Location>
+   </PinToStart>
+</Application>
+```
+
+Entry | Description
+----------- | ------------
+Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.
+
+Application example:
+``` syntax
+<Apps>
+    <!-- Outlook Calendar -->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
+aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>4</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+    <!-- Outlook Mail-->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
+aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>6</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+</Apps>
+```
+
+Entry | Description
+----------- | ------------
+Folder | A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
+
+Folder example:
+``` syntax
+<Application folderId="4" folderName="foldername">
+    <PinToStart>
+        <Size>Large</Size>
+        <Location>
+            <LocationX>0</LocationX>
+            <LocationY>2</LocationY>
+        </Location>
+    </PinToStart>
+</Application>
+```
+An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder.
+
+``` syntax
+<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+    <PinToStart>
+        <Size>Medium</Size>
+        <Location>
+            <LocationX>0</LocationX>
+            <LocationY>0</LocationY>
+        </Location>
+        <ParentFolderId>2</ParentFolderId>
+    </PinToStart>
+</Application>
+```
+
+Entry | Description
+----------- | ------------
+Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.
+
+> [!Important]  
+> Do not specify a group entry without a page entry because it will cause an undefined behavior.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Entry</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td style="vertical-align:top"><p>ActionCenter</p></td>
-<td><p>You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot;&gt;&lt;/ActionCenter&gt;</code></pre>
-<p>In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:</p>
-<ul>
-<li>AboveLock/AllowActionCenterNotifications</li>
-<li>AboveLock/AllowToasts</li>
-</ul>
-<p>For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)</p>
-<p>You can also add the following optional attributes to the ActionCenter element to override the default behavior:</p>
-<ul>
-<li>aboveLockToastEnabled</li>
-<li>actionCenterNotificationEnabled</li>
-</ul>
-<p>Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).</p>
-<p>In this example, the Action Center is enabled and both policies are disabled.</p>
-<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; aboveLockToastEnabled=&quot;0&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre>
-<p>These optional attributes are independent of each other.</p>
-<p>In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.</p>
-<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>StartScreenSize</p></td>
-<td><p>Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.</p>
-<p>Valid values:</p>
-<ul>
-<li><strong>Small</strong> sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx.</li>
-<li><strong>Large</strong> sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.</li>
-</ul>
-<p>If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;StartScreenSize&gt;Large&lt;/StartScreenSize&gt;</code></pre></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>Application</p></td>
-<td><p>Provide the product ID for each app that will be available on the device.</p>
-<p>You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).</p>
-<p>To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.</p>
-<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot; aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;/&gt;</code></pre>
-<img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
-<p>Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.</p>
-<p>For the tile location, the first value indicates the column and the second value indicates the row. A value of <strong>0</strong> indicates the first column, a value of <strong>1</strong> indicates the second column, and so on.</p>
-<p>Include autoRun as an attribute to configure the application to run automatically.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot; autoRun=&quot;true&quot;&gt;
-   &lt;PinToStart&gt;
-      &lt;Size&gt;Large&lt;/Size&gt;
-      &lt;Location&gt;
-         &lt;LocationX&gt;0&lt;/LocationX&gt;
-         &lt;LocationY&gt;2&lt;/LocationY&gt;
-      &lt;/Location&gt;
-   &lt;/PinToStart&gt;
-&lt;/Application&gt;</code></pre>
-<p>Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.</p>
-<p>To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.</p>
-<pre class="syntax" space="preserve"><code>&lt;Apps&gt;
-    &lt;!-- Outlook Calendar --&gt;
-    &lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot; 
-aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar&quot;&gt;
-        &lt;PinToStart&gt;
-            &lt;Size&gt;Large&lt;/Size&gt;
-            &lt;Location&gt;
-                &lt;LocationX&gt;1&lt;/LocationX&gt;
-                &lt;LocationY&gt;4&lt;/LocationY&gt;
-            &lt;/Location&gt;
-        &lt;/PinToStart&gt;
-    &lt;/Application&gt;
-    &lt;!-- Outlook Mail--&gt;
-    &lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot; 
-aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;&gt;
-        &lt;PinToStart&gt;
-            &lt;Size&gt;Large&lt;/Size&gt;
-            &lt;Location&gt;
-                &lt;LocationX&gt;1&lt;/LocationX&gt;
-                &lt;LocationY&gt;6&lt;/LocationY&gt;
-            &lt;/Location&gt;
-        &lt;/PinToStart&gt;
-    &lt;/Application&gt;
-&lt;/Apps&gt;</code></pre></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Folder</p></td>
-<td><p>A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, <strong>folderId</strong> is mandatory, <strong>folderName</strong> is optional, which is the folder name displayed on Start. <strong>folderId</strong> is a unique unsigned integer for each folder.</p>
-<p>For example:</p>
-<pre class="syntax" space="preserve"><code>&lt;Application folderId=&quot;4&quot; folderName=&quot;foldername&quot;&gt;
-    &lt;PinToStart&gt;
-        &lt;Size&gt;Large&lt;/Size&gt;
-        &lt;Location&gt;
-            &lt;LocationX&gt;0&lt;/LocationX&gt;
-            &lt;LocationY&gt;2&lt;/LocationY&gt;
-        &lt;/Location&gt;
-    &lt;/PinToStart&gt;
-&lt;/Application&gt;</code></pre>
-<p>An application that belongs in the folder would add an optional attribute <strong>ParentFolderId</strong>, which maps to <strong>folderId</strong> of the folder. In this case, the location of this application will be located inside the folder.</p>
-<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
-    &lt;PinToStart&gt;
-        &lt;Size&gt;Medium&lt;/Size&gt;
-        &lt;Location&gt;
-            &lt;LocationX&gt;0&lt;/LocationX&gt;
-            &lt;LocationY&gt;0&lt;/LocationY&gt;
-        &lt;/Location&gt;
-        &lt;ParentFolderId&gt;2&lt;/ParentFolderId&gt;
-    &lt;/PinToStart&gt;
-&lt;/Application&gt;</code></pre></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>Settings</p></td>
-<td><p><strong>Settings pages</strong></p>
-<p>Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.</p>
-<div class="alert">
-<strong>Important</strong>  Do not specify a group entry without a page entry because it will cause an undefined behavior.
-</div>
-<div>
- 
-</div>
 <ul>
 <li>System (main menu) - SettingsPageGroupPCSystem
 <ul>
@@ -278,9 +243,14 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
 <li>Extensibility - SettingsPageExtensibility</li>
 </ul></li>
 </ul>
-<p><strong>Quick action settings</strong></p>
-<p>Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). </p>
-<p>Note:  Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.</p>
+
+**Quick action settings**  
+
+Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
+
+> [!Note]  
+> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.
+
 <ul>
 <li><p>SystemSettings_System_Display_QuickAction_Brightness</p>
 <p>Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay</p></li>
@@ -315,277 +285,265 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
 <li><p>SystemSettings_QuickAction_Camera</p>
 <p>Dependencies - none</p></li>
 </ul>
-<p>In this example, all settings pages and quick action settings are allowed. An empty &lt;Settings&gt; node indicates that none of the settings are blocked.</p>
-<pre class="syntax" space="preserve"><code>&lt;Settings&gt;
-&lt;/Settings&gt;</code></pre>
-<p>In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.</p>
-<pre class="syntax" space="preserve"><code>&lt;Settings&gt; 
-  &lt;System name=&quot;SettingsPageGroupPCSystem&quot; /&gt; 
-  &lt;System name=&quot;SettingsPageDisplay&quot; /&gt; 
-  &lt;System name=&quot;SettingsPageAppsNotifications&quot; /&gt;
-  &lt;System name=&quot;SettingsPageCalls&quot; /&gt;
-  &lt;System name=&quot;SettingsPageMessaging&quot; /&gt; 
-  &lt;System name=&quot;SettingsPageBatterySaver&quot; /&gt; 
-  &lt;System name=&quot;SettingsPageStorageSenseStorageOverview&quot; /&gt;
-  &lt;System name=&quot;SettingsPageGroupPCSystemDeviceEncryption&quot; /&gt; 
-  &lt;System name=&quot;SettingsPageDrivingMode&quot; /&gt; 
-  &lt;System name=&quot;SettingsPagePCSystemInfo&quot; /&gt; 
- &lt;/Settings&gt;</code></pre>
-<p>To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.</p></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Buttons</p></td>
-<td><p>The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.</p>
+
+In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.  
+
+``` syntax
+<Settings>
+</Settings>
+```
+
+In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.  
+
+``` syntax
+<Settings> 
+  <System name="SettingsPageGroupPCSystem" /> 
+  <System name="SettingsPageDisplay" /> 
+  <System name="SettingsPageAppsNotifications" />
+  <System name="SettingsPageCalls" />
+  <System name="SettingsPageMessaging" /> 
+  <System name="SettingsPageBatterySaver" /> 
+  <System name="SettingsPageStorageSenseStorageOverview" />
+  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
+  <System name="SettingsPageDrivingMode" /> 
+  <System name="SettingsPagePCSystemInfo" /> 
+ </Settings>
+```
+
+Entry | Description
+----------- | ------------
+Buttons | The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.
+ 
 <ul>
 <li><p>Start</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>Lock down of the Start button only prevents the press and hold event.</p>
-</div>
-<div>
- 
-</div></li>
 <li><p>Back</p></li>
 <li><p>Search</p></li>
 <li><p>Camera</p></li>
 <li><p>Custom1</p></li>
 <li><p>Custom2</p></li>
-<li><p>Custom3</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>Custom buttons are hardware buttons that can be added to devices by OEMs.</p>
-</div>
-<div>
- 
-</div></li>
+<li><p>Custom3</p></li>
 </ul>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;Buttons&gt;
-   &lt;ButtonLockdownList&gt;
-      &lt;!-- Lockdown all buttons --&gt;
-         &lt;Button name=&quot;Search&quot;&gt;
-         &lt;/Button&gt;
-         &lt;Button name=&quot;Camera&quot;&gt;
-         &lt;/Button&gt;
-         &lt;Button name=&quot;Custom1&quot;&gt;
-         &lt;/Button&gt;
-         &lt;Button name=&quot;Custom2&quot;&gt;
-         &lt;/Button&gt;
-         &lt;Button name=&quot;Custom3&quot;&gt;
-         &lt;/Button&gt;
-   &lt;/ButtonLockdownList&gt;</code></pre>
-<p>The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>The lockdown settings for a button, per user role, will apply regardless of the button mapping.</p>
-</div>
-<div>
- 
-</div>
-<div class="alert">
-<strong>Warning</strong>  
-<p>Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.</p>
-</div>
-<div>
- 
-</div>
-<p>To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;ButtonRemapList&gt;
-   &lt;Button name=&quot;Search&quot;&gt;
-      &lt;ButtonEvent name=&quot;Press&quot;&gt;
-         &lt;!-- Alarms --&gt;
-         &lt;Application productId=&quot;{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}&quot; parameters=&quot;&quot; /&gt;
-          &lt;/ButtonEvent&gt;
-   &lt;/Button&gt;
-&lt;/ButtonRemapList&gt;</code></pre>
-<p><strong>Disabling navigation buttons</strong></p>
-<p>To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically &quot;press&quot;).</p>
-<p>The following section contains a sample lockdown XML file that shows how to disable navigation buttons.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
-&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
-    &lt;Default&gt;
-        &lt;ActionCenter enabled=&quot;false&quot; /&gt;
-        &lt;Apps&gt;
-            &lt;!-- Settings --&gt;
-            &lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
-                &lt;PinToStart&gt;
-                    &lt;Size&gt;Large&lt;/Size&gt;
-                    &lt;Location&gt;
-                        &lt;LocationX&gt;0&lt;/LocationX&gt;
-                        &lt;LocationY&gt;0&lt;/LocationY&gt;
-                    &lt;/Location&gt;
-                &lt;/PinToStart&gt;
-            &lt;/Application&gt;
 
-            &lt;!-- Phone Apps --&gt;
-            &lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
-                &lt;PinToStart&gt;
-                    &lt;Size&gt;Small&lt;/Size&gt;
-                    &lt;Location&gt;
-                        &lt;LocationX&gt;2&lt;/LocationX&gt;
-                        &lt;LocationY&gt;2&lt;/LocationY&gt;
-                    &lt;/Location&gt;
-                &lt;/PinToStart&gt;
-            &lt;/Application&gt;
-        &lt;/Apps&gt;
-        &lt;Buttons&gt;
-            &lt;ButtonLockdownList&gt;
-                &lt;Button name=&quot;Start&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Back&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Search&quot;&gt;
-                    &lt;ButtonEvent name=&quot;All&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Camera&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom1&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom2&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom3&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-            &lt;/ButtonLockdownList&gt;
-            &lt;ButtonRemapList /&gt;
-        &lt;/Buttons&gt;
-        &lt;MenuItems&gt;
-            &lt;DisableMenuItems/&gt;
-        &lt;/MenuItems&gt;
-        &lt;Settings&gt;
-        &lt;/Settings&gt;
-        &lt;Tiles&gt;
-            &lt;EnableTileManipulation/&gt;
-        &lt;/Tiles&gt;
-        &lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
-    &lt;/Default&gt;
-&lt;/HandheldLockdown&gt;</code></pre></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>MenuItems</p></td>
-<td><p>Use <strong>DisableMenuItems</strong> to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.</p>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;MenuItems&gt;
-   &lt;DisableMenuItems/&gt;
-&lt;/MenuItems&gt;</code></pre>
-<div class="alert">
-<strong>Important</strong>  
-<p>If <strong>DisableMenuItems</strong> is not included in a profile, users of that profile can uninstall apps.</p>
-</div>
-<div>
- 
-</div></td>
-</tr>
-<tr class="even">
-<td style="vertical-align:top"><p>Tiles</p></td>
-<td><p><strong>Turning-on tile manipulation</strong></p>
-<p>By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile.</p>
-<p>If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.</p>
-<div class="alert">
-<strong>Important</strong>  
-<p>If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.</p>
-</div>
-<div>
- 
-</div>
-<p>The following sample file contains configuration for enabling tile manipulation.</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>Tile manipulation is disabled when you don’t have a <code>&lt;Tiles&gt;</code> node in lockdown XML, or if you have a <code>&lt;Tiles&gt;</code> node but don’t have the <code>&lt;EnableTileManipulation/&gt;</code> node.</p>
-</div>
-<div>
- 
-</div>
-<p>Example:</p>
-<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
-&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
-    &lt;Default&gt;
-        &lt;ActionCenter enabled=&quot;false&quot; /&gt;
-        &lt;Apps&gt;
-            &lt;!-- Settings --&gt;
-            &lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
-                &lt;PinToStart&gt;
-                    &lt;Size&gt;Large&lt;/Size&gt;
-                    &lt;Location&gt;
-                        &lt;LocationX&gt;0&lt;/LocationX&gt;
-                        &lt;LocationY&gt;0&lt;/LocationY&gt;
-                    &lt;/Location&gt;
-                &lt;/PinToStart&gt;
-            &lt;/Application&gt;
+> [!Note]  
+> Lock down of the Start button only prevents the press and hold event.  
+>
+> Custom buttons are hardware buttons that can be added to devices by OEMs.
 
-            &lt;!-- Phone Apps --&gt;
-            &lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
-                &lt;PinToStart&gt;
-                    &lt;Size&gt;Small&lt;/Size&gt;
-                    &lt;Location&gt;
-                        &lt;LocationX&gt;2&lt;/LocationX&gt;
-                        &lt;LocationY&gt;2&lt;/LocationY&gt;
-                    &lt;/Location&gt;
-                &lt;/PinToStart&gt;
-            &lt;/Application&gt;
-        &lt;/Apps&gt;
-        &lt;Buttons&gt;
-            &lt;ButtonLockdownList&gt;
-                &lt;Button name=&quot;Start&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Back&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Search&quot;&gt;
-                    &lt;ButtonEvent name=&quot;All&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Camera&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom1&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom2&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-                &lt;Button name=&quot;Custom3&quot;&gt;
-                    &lt;ButtonEvent name=&quot;Press&quot; /&gt;
-                    &lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
-                &lt;/Button&gt;
-            &lt;/ButtonLockdownList&gt;
-            &lt;ButtonRemapList /&gt;
-        &lt;/Buttons&gt;
-        &lt;MenuItems&gt;
-            &lt;DisableMenuItems/&gt;
-        &lt;/MenuItems&gt;
-        &lt;Settings&gt;
-        &lt;/Settings&gt;
-        &lt;Tiles&gt;
-            &lt;EnableTileManipulation/&gt;
-        &lt;/Tiles&gt;
-        &lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
-    &lt;/Default&gt;
-&lt;/HandheldLockdown&gt;</code></pre></td>
-</tr>
-<tr class="odd">
-<td style="vertical-align:top"><p>CSP Runner</p></td>
-<td><p>Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.</p></td>
-</tr>
-</tbody>
-</table>
+Buttons example: 
+``` syntax
+<Buttons>
+   <ButtonLockdownList>
+      <!-- Lockdown all buttons -->
+         <Button name="Search">
+         </Button>
+         <Button name="Camera">
+         </Button>
+         <Button name="Custom1">
+         </Button>
+         <Button name="Custom2">
+         </Button>
+         <Button name="Custom3">
+         </Button>
+   </ButtonLockdownList>
+```
+The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
 
+> [!Note]  
+> The lockdown settings for a button, per user role, will apply regardless of the button mapping.  
+>
+> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
+
+To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.
+
+``` syntax
+<ButtonRemapList>
+   <Button name="Search">
+      <ButtonEvent name="Press">
+         <!-- Alarms -->
+         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
+          </ButtonEvent>
+   </Button>
+</ButtonRemapList>
+```
+**Disabling navigation buttons**  
+To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").
+
+The following section contains a sample lockdown XML file that shows how to disable navigation buttons.
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+        <ActionCenter enabled="false" />
+        <Apps>
+            <!-- Settings -->
+            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                <PinToStart>
+                    <Size>Large</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>0</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+
+            <!-- Phone Apps -->
+            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
+                <PinToStart>
+                    <Size>Small</Size>
+                    <Location>
+                        <LocationX>2</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+        </Apps>
+        <Buttons>
+            <ButtonLockdownList>
+                <Button name="Start">
+                    <ButtonEvent name="Press" />
+                </Button>
+                <Button name="Back">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Search">
+                    <ButtonEvent name="All" />
+                </Button>
+                <Button name="Camera">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom1">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom2">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom3">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+            </ButtonLockdownList>
+            <ButtonRemapList />
+        </Buttons>
+        <MenuItems>
+            <DisableMenuItems/>
+        </MenuItems>
+        <Settings>
+        </Settings>
+        <Tiles>
+            <EnableTileManipulation/>
+        </Tiles>
+        <StartScreenSize>Small</StartScreenSize>
+    </Default>
+</HandheldLockdown>
+```
+
+Entry | Description
+----------- | ------------
+MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
+
+> [!Important]  
+> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
+
+MenuItems example:
+
+``` syntax
+<MenuItems>
+   <DisableMenuItems/>
+</MenuItems>
+```
+
+Entry | Description
+----------- | ------------
+Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
+
+> [!Important]  
+>  If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.
+
+The following sample file contains configuration for enabling tile manipulation.
+
+> [!Note]  
+> Tile manipulation is disabled when you don’t have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but don’t have the `<EnableTileManipulation>` node.
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+        <ActionCenter enabled="false" />
+        <Apps>
+            <!-- Settings -->
+            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                <PinToStart>
+                    <Size>Large</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>0</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+
+            <!-- Phone Apps -->
+            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
+                <PinToStart>
+                    <Size>Small</Size>
+                    <Location>
+                        <LocationX>2</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+        </Apps>
+        <Buttons>
+            <ButtonLockdownList>
+                <Button name="Start">
+                    <ButtonEvent name="Press" />
+                </Button>
+                <Button name="Back">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Search">
+                    <ButtonEvent name="All" />
+                </Button>
+                <Button name="Camera">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom1">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom2">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom3">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+            </ButtonLockdownList>
+            <ButtonRemapList />
+        </Buttons>
+        <MenuItems>
+            <DisableMenuItems/>
+        </MenuItems>
+        <Settings>
+        </Settings>
+        <Tiles>
+            <EnableTileManipulation/>
+        </Tiles>
+        <StartScreenSize>Small</StartScreenSize>
+    </Default>
+</HandheldLockdown>
+```
+
+Entry | Description
+----------- | ------------
+CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.
  
 
 <a href="" id="lockscreenwallpaper-"></a>**LockscreenWallpaper/**  
@@ -734,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS
 <a href="" id="clock-timezone-"></a>**Clock/TimeZone/**  
 An integer that specifies the time zone of the device. The following table shows the possible values.
 
+Supported operations are Get and Replace.
+
 <table>
 <colgroup>
 <col width="20%" />
@@ -1161,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
 </tbody>
 </table>
 
- 
-
-Supported operations are Get and Replace.
 
 <a href="" id="locale-language-"></a>**Locale/Language/**  
 The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567).
@@ -1172,8 +1129,6 @@ The language setting is configured in the Default User profile only.
 
 > **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
 
- 
-
 Supported operations are Get and Replace.
 
 ## OMA client provisioning examples
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
new file mode 100644
index 0000000000..e621f09ad8
--- /dev/null
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -0,0 +1,282 @@
+---
+title: Firewall CSP
+description: Firewall CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Firewall CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP is new in the next major update to Windows 10.
+ 
+Firewall configuration commands must be wrapped in an Atomic block in SyncML.
+
+For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
+
+The following diagram shows the Firewall configuration service provider in tree format. 
+
+![firewall csp](images/provisioning-csp-firewall.png)
+
+<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
+<p style="margin-left: 20px">Root node for the Firewall configuration service provider.</p>
+
+<a href="" id="mdmstore"></a>**MdmStore**
+<p style="margin-left: 20px">Interior node.</p>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="global"></a>**MdmStore/Global**
+<p style="margin-left: 20px">Interior node.</p>
+<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
+
+<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
+<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
+<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
+
+<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
+<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE  for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
+<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
+
+<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
+<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
+
+<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
+<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
+<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
+<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
+<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
+<p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
+<a href="" id="binaryversionsupported"></a>**MdmStore/Global/BinaryVersionSupported**
+<p style="margin-left: 20px">This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
+<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
+
+<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
+<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="privateprofile"></a>**MdmStore/PrivateProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="publicprofile"></a>**MdmStore/PublicProfile**
+<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
+
+<a href="" id="enablefirewall"></a>**/EnableFirewall**
+<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="shielded"></a>**/Shielded**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
+<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
+<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
+<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
+
+<a href="" id="firewallrules"></a>**FirewallRules**
+<p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall.  Each Rule ID is OR'ed.  Within each rule ID each Filter type is AND'ed.</p>
+
+<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
+<p style="margin-left: 20px">Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</p>
+
+<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
+<p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
+<ul>
+<li>PackageFamilyName</li>
+<li>FilePath</li>
+<li>FQBN</li>
+<li>ServiceName</li>
+</ul>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
+<p style="margin-left: 20px">This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="filepath"></a>**FirewallRules/_FirewallRuleName_/App/FilePath**
+<p style="margin-left: 20px">This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="fqbn"></a>**FirewallRules/_FirewallRuleName_/App/Fqbn**
+<p style="margin-left: 20px">Fully Qualified Binary Name</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="servicename"></a>**FirewallRules/_FirewallRuleName_/App/ServiceName**
+<p style="margin-left: 20px">This is a service name used in cases when a service, not an application, is sending or receiving traffic.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
+<p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
+<p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
+<p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
+<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
+<ul>
+<li>"\*" indicates any local address. If present, this must be the only token included.</li>
+<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
+<li>A valid IPv6 address.</li>
+<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
+<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
+<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
+<ul>
+<li>"\*" indicates any remote address. If present, this must be the only token included.</li>
+<li>"Defaultgateway"</li>
+<li>"DHCP"</li>
+<li>"DNS"</li>
+<li>"WINS"</li>
+<li>"Intranet"</li>
+<li>"RemoteCorpNetwork"</li>
+<li>"Internet"</li>
+<li>"PlayToRenderers"</li>
+<li>"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.</li>
+<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
+<li>A valid IPv6 address.</li>
+<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
+<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
+<p style="margin-left: 20px">Specifies the description of the rule.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
+<p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
+<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. .  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
+<p style="margin-left: 20px">Specifies the action for the rule.</p>
+<p style="margin-left: 20px">Supported operation is Get.</p>
+
+<a href="" id="type"></a>**FirewallRules/_FirewallRuleName_/Action/Type**
+<p style="margin-left: 20px">Specifies the action the rule enforces. Supported values:</p>
+<ul>
+<li>0 - Block</li>
+<li>1 - Allow</li>
+</ul>
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
+<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
+<ul>
+<li>IN - the rule applies to inbound traffic.</li>
+<li>OUT - the rule applies to outbound traffic.</li>
+<li>If not specified, the default is IN.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
+<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
+<ul>
+<li>RemoteAccess</li>
+<li>Wireless</li>
+<li>MobileBroadband</li>
+<li>All</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
+<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
+<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
+<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
+<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
+<p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
+<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
+<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
+<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
+<p style="margin-left: 20px">Name of the rule.</p>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
new file mode 100644
index 0000000000..ced7194e3a
--- /dev/null
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -0,0 +1,1815 @@
+---
+title: Firewall DDF file
+description: Firewall DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Firewall CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+      <Node>
+        <NodeName>Firewall</NodeName>
+        <Path>./Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>MdmStore</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>Global</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+                <Replace />
+              </AccessType>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>PolicyVersionSupported</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Permanent />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>CurrentProfiles</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE  for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Permanent />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStatefulFtp</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</Description>
+                <DFFormat>
+                  <bool />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>SaIdleTime</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>PresharedKeyEncoding</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>IPsecExempt</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>CRLcheck</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>PolicyVersion</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Permanent />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>BinaryVersionSupported</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                </AccessType>
+                <Description>This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Permanent />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>OpportunisticallyMatchAuthSetPerKM</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DFFormat>
+                  <bool />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>EnablePacketQueue</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+          <Node>
+            <NodeName>DomainProfile</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EnableFirewall</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthMode</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>Shielded</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableUnicastResponsesToMulticastBroadcast</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableInboundNotifications</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AuthAppsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>GlobalPortsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalIpsecPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultOutboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultInboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthModeIpsecSecuredPacketExemption</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+          <Node>
+            <NodeName>PrivateProfile</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EnableFirewall</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthMode</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>Shielded</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableUnicastResponsesToMulticastBroadcast</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableInboundNotifications</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AuthAppsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>GlobalPortsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalIpsecPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultOutboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultInboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthModeIpsecSecuredPacketExemption</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+          <Node>
+            <NodeName>PublicProfile</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Permanent />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>EnableFirewall</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthMode</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>Shielded</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableUnicastResponsesToMulticastBroadcast</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableInboundNotifications</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AuthAppsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>GlobalPortsAllowUserPrefMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>AllowLocalIpsecPolicyMerge</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultOutboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DefaultInboundAction</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>DisableStealthModeIpsecSecuredPacketExemption</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+          <Node>
+            <NodeName>FirewallRules</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Get />
+              </AccessType>
+              <Description>A list of rules controlling traffic through the Windows Firewall.  Each Rule ID is ORed.  Within each rule ID each Filter type is AND'ed.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <ZeroOrOne />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName></NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                </AccessType>
+                <Description>Unique alpha numeric identifier for the rule.  The rule name must not include a forward slash (/).</Description>
+                <DFFormat>
+                  <node />
+                </DFFormat>
+                <Occurrence>
+                  <ZeroOrMore />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>FirewallRuleName</DFTitle>
+                <DFType>
+                  <DDFName></DDFName>
+                </DFType>
+              </DFProperties>
+              <Node>
+                <NodeName>App</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Rules that control connections for an app, program or service.
+
+Specified based on the intersection of the following nodes.
+
+PackageFamilyName
+FilePath
+FQBN
+ServiceName</Description>
+                  <DFFormat>
+                    <node />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <DDFName></DDFName>
+                  </DFType>
+                </DFProperties>
+                <Node>
+                  <NodeName>PackageFamilyName</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Add />
+                      <Delete />
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                      <Dynamic />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+                <Node>
+                  <NodeName>FilePath</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Add />
+                      <Delete />
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                      <Dynamic />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+                <Node>
+                  <NodeName>Fqbn</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Add />
+                      <Delete />
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>Fully Qualified Binary Name</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                      <Dynamic />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+                <Node>
+                  <NodeName>ServiceName</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Add />
+                      <Delete />
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic.</Description>
+                    <DFFormat>
+                      <chr />
+                    </DFFormat>
+                    <Occurrence>
+                      <ZeroOrOne />
+                    </Occurrence>
+                    <Scope>
+                      <Dynamic />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+              </Node>
+              <Node>
+                <NodeName>Protocol</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</Description>
+                  <DFFormat>
+                    <int />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>LocalPortRanges</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>RemotePortRanges</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description> Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>LocalAddressRanges</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. 
+Valid tokens include:
+"*" indicates any local address. If present, this must be the only token included.
+
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>RemoteAddressRanges</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+"*" indicates any remote address. If present, this must be the only token included.
+"Defaultgateway"
+"DHCP"
+"DNS"
+"WINS"
+"Intranet"
+"RemoteCorpNetwork"
+"Internet"
+"PlayToRenderers"
+"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
+A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
+A valid IPv6 address.
+An IPv4 address range in the format of "start address - end address" with no spaces included.
+An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Description</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Specifies the description of the rule.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Enabled</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+If not specified - a new rule is disabled by default.</Description>
+                  <DFFormat>
+                    <bool />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Profiles</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Specifies the profiles to which the rule belongs: Domain, Private, Public.  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</Description>
+                  <DFFormat>
+                    <int />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Action</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Specifies the action for the rule.
+
+BLOCK - block the connection.
+ALLOW - allow the connection.
+
+
+If not specified the default action is BLOCK.</Description>
+                  <DFFormat>
+                    <node />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <DDFName></DDFName>
+                  </DFType>
+                </DFProperties>
+                <Node>
+                  <NodeName>Type</NodeName>
+                  <DFProperties>
+                    <AccessType>
+                      <Add />
+                      <Delete />
+                      <Get />
+                      <Replace />
+                    </AccessType>
+                    <Description>Specifies the action the rule enforces:
+0 - Block
+1 - Allow</Description>
+                    <DFFormat>
+                      <int />
+                    </DFFormat>
+                    <Occurrence>
+                      <One />
+                    </Occurrence>
+                    <Scope>
+                      <Dynamic />
+                    </Scope>
+                    <DFType>
+                      <MIME>text/plain</MIME>
+                    </DFType>
+                  </DFProperties>
+                </Node>
+              </Node>
+              <Node>
+                <NodeName>Direction</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Comma separated list.  The rule is enabled based on the traffic direction as following.
+
+IN - the rule applies to inbound traffic.
+OUT - the rule applies to outbound traffic.
+
+If not specified the detault is IN.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>InterfaceTypes</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
+ If more than one interface type is specified, the strings must be separated by a comma.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>IcmpTypesAndCodes</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>EdgeTraversal</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Indicates whether edge traversal is enabled or disabled for this rule.
+
+The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+
+New rules have the EdgeTraversal property disabled by default.
+</Description>
+                  <DFFormat>
+                    <bool />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>LocalUserAuthorizedList</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Specifies the list of authorized local users for the app container.
+This is a string in Security Descriptor Definition Language (SDDL) format..</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <ZeroOrOne />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Status</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                  </AccessType>
+                  <Description>Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>FriendlyName</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Add />
+                    <Delete />
+                    <Get />
+                    <Replace />
+                  </AccessType>
+                  <Description>Specifies the friendly name of the rule.
+The string must not contain the "|" character.</Description>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+              <Node>
+                <NodeName>Name</NodeName>
+                <DFProperties>
+                  <AccessType>
+                    <Get />
+                    <Add />
+                    <Delete />
+                    <Replace />
+                  </AccessType>
+                  <DFFormat>
+                    <chr />
+                  </DFFormat>
+                  <Occurrence>
+                    <One />
+                  </Occurrence>
+                  <Scope>
+                    <Dynamic />
+                  </Scope>
+                  <DFType>
+                    <MIME>text/plain</MIME>
+                  </DFType>
+                </DFProperties>
+              </Node>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+</MgmtTree>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png
new file mode 100644
index 0000000000..f31e4c749d
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png
new file mode 100644
index 0000000000..8950a1614d
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 01c9aace26..6c95a92a67 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -14,6 +14,8 @@ author: nickbrower
 
 # What's new in MDM enrollment and management
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
 
@@ -640,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>SmartScreen/EnableAppInstallControl</li>
 <li>SmartScreen/EnableSmartScreenInShell</li>
 <li>SmartScreen/PreventOverrideForFilesInShell</li>
+<li>Start/AllowPinnedFolderDocuments</li>
+<li>Start/AllowPinnedFolderDownloads</li>
+<li>Start/AllowPinnedFolderFileExplorer</li>
+<li>Start/AllowPinnedFolderHomeGroup</li>
+<li>Start/AllowPinnedFolderMusic</li>
+<li>Start/AllowPinnedFolderNetwork</li>
+<li>Start/AllowPinnedFolderPersonalFolder </li>
+<li>Start/AllowPinnedFolderPictures</li>
+<li>Start/AllowPinnedFolderSettings</li>
+<li>Start/AllowPinnedFolderVideos</li>
 <li>Start/HideAppList</li>
 <li>Start/HideChangeAccountSettings</li>
 <li>Start/HideFrequentlyUsedApps</li>
@@ -661,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>TextInput/AllowKeyboardTextSuggestions</li>
 <li>TimeLanguageSettings/AllowSet24HourClock</li>
 <li>Update/ActiveHoursMaxRange</li>
+<li>Update/AutoRestartDeadlinePeriodInDays</li>
 <li>Update/AutoRestartNotificationSchedule</li>
 <li>Update/AutoRestartNotificationStyle</li>
 <li>Update/AutoRestartRequiredNotificationDismissal</li>
@@ -850,6 +863,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added a section describing SyncML examples of various ADMX elements.</p>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">New topic.</td>
+</tr>
+<tr class="odd">
 <td style="vertical-align:top">[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)</td>
 <td style="vertical-align:top"><p>Added a new topic describing how to deploy and configure App-V apps using MDM.</p>
 </td></tr>
@@ -888,6 +905,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>[Policy CSP](policy-configuration-service-provider.md)</li>
 </ul>
 </td></tr>
+<tr class="even">
+<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
+</tr>
 </tbody>
 </table> 
 
@@ -1158,6 +1179,60 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ## Change history in MDM documentation
 
+### June 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top">Added the following nodes:
+<ul>
+<li>Profiles</li>
+<li>Direction</li>
+<li>InterfaceTypes</li>
+<li>EdgeTraversal</li>
+<li>Status</li>
+</ul>
+Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
+<tr class="odd">
+<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
+<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
+</tr>
+<tr class="even">
+<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
+<td style="vertical-align:top">
+<p>Added the following new policies for Windows 10, version 1703:</p> 
+<ul>
+<li>Start/AllowPinnedFolderDocuments</li>
+<li>Start/AllowPinnedFolderDownloads</li>
+<li>Start/AllowPinnedFolderFileExplorer</li>
+<li>Start/AllowPinnedFolderHomeGroup</li>
+<li>Start/AllowPinnedFolderMusic</li>
+<li>Start/AllowPinnedFolderNetwork</li>
+<li>Start/AllowPinnedFolderPersonalFolder </li>
+<li>Start/AllowPinnedFolderPictures</li>
+<li>Start/AllowPinnedFolderSettings</li>
+<li>Start/AllowPinnedFolderVideos</li>
+<li>Update/AutoRestartDeadlinePeriodInDays</li>
+</ul>
+</td></tr>
+</tbody>
+</table>
+
 ### May 2017
 
 <table>
@@ -1216,7 +1291,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>EnterpriseDataProtection/RetrieveByCount/Type</li>
 </ul>
 </td></tr>
-<tr class="even">
+<tr class="odd">
 <td style="vertical-align:top">[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)</td>
 <td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
 <ul>
@@ -1228,6 +1303,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Ownership</li>
 </ul>
 </td></tr>
+<tr class="even">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top"><p>Added new CSP in the next major update to Windows 10.</p>
+</td></tr>
 <tr class="odd">
 <td style="vertical-align:top">MDM support for Windows 10 S</td>
 <td style="vertical-align:top"><p>Updated the following topics to indicate MDM support in Windows 10 S.</p>
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 8faa4ccb96..ed858a4dcc 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -201,9 +201,9 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
 <a href="" id="biometrics-facialfeaturesuseenhancedantispoofing--only-for---device-vendor-msft-"></a>**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)  
 <p style="margin-left: 20px">Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
 
-<p style="margin-left: 20px">Default value is false. If you set this policy to true or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
+<p style="margin-left: 20px">Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
 
-<p style="margin-left: 20px">If you set this policy to false, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+<p style="margin-left: 20px">If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
 
 <p style="margin-left: 20px">Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
 
diff --git a/windows/client-management/mdm/policy-admx-backed.md b/windows/client-management/mdm/policy-admx-backed.md
deleted file mode 100644
index 643af44e7a..0000000000
--- a/windows/client-management/mdm/policy-admx-backed.md
+++ /dev/null
@@ -1,4032 +0,0 @@
----
-title: Policy CSP - ADMX-backed policies
-description: Policy CSP - ADMX-backed policies
-ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F
-ms.author: maricia
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: nickbrower
----
-
-# Policy CSP - ADMX-backed policies
-
-The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. This reference topic targets only policies which are backed by ADMX. To understand the difference between traditional MDM and ADMX-backed policies please see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
-
-## <a href="" id="admxpolicytable"></a>Table of ADMX-backed policies for Windows 10, version 1703.
-
-> [!IMPORTANT]
-> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table.
-
-<!-- ADMX-TABLE-START -->
-<table>
-  <tr>
-    <th>MDM CSP setting path/name</th>
-    <th>GP english name</th>
-    <th>GP english category path</th>
-    <th>GP name</th>
-    <th>GP ADMX file name</th>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#activexcontrols-approvedinstallationsites">ActiveXControls/ApprovedInstallationSites</a></td>
-    <td style="vertical-align:top">Approved Installation Sites for ActiveX Controls</td>
-    <td style="vertical-align:top">Windows Components/ActiveX Installer Service</td>
-    <td style="vertical-align:top">ApprovedActiveXInstallSites</td>
-    <td style="vertical-align:top">ActiveXInstallService.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowappvclient">AppVirtualization/AllowAppVClient</a></td>
-    <td style="vertical-align:top">Enable App-V Client</td>
-    <td style="vertical-align:top">System/App-V</td>
-    <td style="vertical-align:top">EnableAppV</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowdynamicvirtualization">AppVirtualization/AllowDynamicVirtualization</a></td>
-    <td style="vertical-align:top">Enable Dynamic Virtualization</td>
-    <td style="vertical-align:top">System/App-V/Virtualization</td>
-    <td style="vertical-align:top">Virtualization_JITVEnable</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowpackagecleanup">AppVirtualization/AllowPackageCleanup</a></td>
-    <td style="vertical-align:top">Enable automatic cleanup of unused appv packages</td>
-    <td style="vertical-align:top">System/App-V/Package Management</td>
-    <td style="vertical-align:top">PackageManagement_AutoCleanupEnable</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowpackagescripts">AppVirtualization/AllowPackageScripts</a></td>
-    <td style="vertical-align:top">Enable Package Scripts</td>
-    <td style="vertical-align:top">System/App-V/Scripting</td>
-    <td style="vertical-align:top">Scripting_Enable_Package_Scripts</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowpublishingrefreshux">AppVirtualization/AllowPublishingRefreshUX</a></td>
-    <td style="vertical-align:top">Enable Publishing Refresh UX</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Enable_Publishing_Refresh_UX</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowreportingserver">AppVirtualization/AllowReportingServer</a></td>
-    <td style="vertical-align:top">Reporting Server</td>
-    <td style="vertical-align:top">System/App-V/Reporting</td>
-    <td style="vertical-align:top">Reporting_Server_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowroamingfileexclusions">AppVirtualization/AllowRoamingFileExclusions</a></td>
-    <td style="vertical-align:top">Roaming File Exclusions</td>
-    <td style="vertical-align:top">System/App-V/Integration</td>
-    <td style="vertical-align:top">Integration_Roaming_File_Exclusions</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowroamingregistryexclusions">AppVirtualization/AllowRoamingRegistryExclusions</a></td>
-    <td style="vertical-align:top">Roaming Registry Exclusions</td>
-    <td style="vertical-align:top">System/App-V/Integration</td>
-    <td style="vertical-align:top">Integration_Roaming_Registry_Exclusions</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-allowstreamingautoload">AppVirtualization/AllowStreamingAutoload</a></td>
-    <td style="vertical-align:top">Specify what to load in background (aka AutoLoad)</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Steaming_Autoload</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-clientcoexistenceallowmigrationmode">AppVirtualization/ClientCoexistenceAllowMigrationmode</a></td>
-    <td style="vertical-align:top">Enable Migration Mode</td>
-    <td style="vertical-align:top">System/App-V/Client Coexistence</td>
-    <td style="vertical-align:top">Client_Coexistence_Enable_Migration_mode</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-integrationallowrootglobal">AppVirtualization/IntegrationAllowRootGlobal</a></td>
-    <td style="vertical-align:top">Integration Root User</td>
-    <td style="vertical-align:top">System/App-V/Integration</td>
-    <td style="vertical-align:top">Integration_Root_User</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-integrationallowrootuser">AppVirtualization/IntegrationAllowRootUser</a></td>
-    <td style="vertical-align:top">Integration Root Global</td>
-    <td style="vertical-align:top">System/App-V/Integration</td>
-    <td style="vertical-align:top">Integration_Root_Global</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-publishingallowserver1">AppVirtualization/PublishingAllowServer1</a></td>
-    <td style="vertical-align:top">Publishing Server 1 Settings</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Publishing_Server1_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-publishingallowserver2">AppVirtualization/PublishingAllowServer2</a></td>
-    <td style="vertical-align:top">Publishing Server 2 Settings</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Publishing_Server2_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-publishingallowserver3">AppVirtualization/PublishingAllowServer3</a></td>
-    <td style="vertical-align:top">Publishing Server 3 Settings</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Publishing_Server3_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-publishingallowserver4">AppVirtualization/PublishingAllowServer4</a></td>
-    <td style="vertical-align:top">Publishing Server 4 Settings</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Publishing_Server4_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-publishingallowserver5">AppVirtualization/PublishingAllowServer5</a></td>
-    <td style="vertical-align:top">Publishing Server 5 Settings</td>
-    <td style="vertical-align:top">System/App-V/Publishing</td>
-    <td style="vertical-align:top">Publishing_Server5_Policy</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowcertificatefilterforclient_ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a></td>
-    <td style="vertical-align:top">Certificate Filter For Client SSL</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Certificate_Filter_For_Client_SSL</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowhighcostlaunch">AppVirtualization/StreamingAllowHighCostLaunch</a></td>
-    <td style="vertical-align:top">Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Allow_High_Cost_Launch</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowlocationprovider">AppVirtualization/StreamingAllowLocationProvider</a></td>
-    <td style="vertical-align:top">Location Provider</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Location_Provider</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowpackageinstallationroot">AppVirtualization/StreamingAllowPackageInstallationRoot</a></td>
-    <td style="vertical-align:top">Package Installation Root</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Package_Installation_Root</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowpackagesourceroot">AppVirtualization/StreamingAllowPackageSourceRoot</a></td>
-    <td style="vertical-align:top">Package Source Root</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Package_Source_Root</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowreestablishmentinterval">AppVirtualization/StreamingAllowReestablishmentInterval</a></td>
-    <td style="vertical-align:top">Reestablishment Interval</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Reestablishment_Interval</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingallowreestablishmentretries">AppVirtualization/StreamingAllowReestablishmentRetries</a></td>
-    <td style="vertical-align:top">Reestablishment Retries</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Reestablishment_Retries</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingsharedcontentstoremode">AppVirtualization/StreamingSharedContentStoreMode</a></td>
-    <td style="vertical-align:top">Shared Content Store (SCS) mode</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Shared_Content_Store_Mode</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingsupportbranchcache">AppVirtualization/StreamingSupportBranchCache</a></td>
-    <td style="vertical-align:top">Enable Support for BranchCache</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Support_Branch_Cache</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-streamingverifycertificaterevocationlist">AppVirtualization/StreamingVerifyCertificateRevocationList</a></td>
-    <td style="vertical-align:top">Verify certificate revocation list</td>
-    <td style="vertical-align:top">System/App-V/Streaming</td>
-    <td style="vertical-align:top">Streaming_Verify_Certificate_Revocation_List</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#appvirtualization-virtualcomponentsallowlist">AppVirtualization/VirtualComponentsAllowList</a></td>
-    <td style="vertical-align:top">Virtual Component Process Allow List</td>
-    <td style="vertical-align:top">System/App-V/Virtualization</td>
-    <td style="vertical-align:top">Virtualization_JITVAllowList</td>
-    <td style="vertical-align:top">appv.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#attachmentmanager-donotpreservezoneinformation">AttachmentManager/DoNotPreserveZoneInformation</a></td>
-    <td style="vertical-align:top">Do not preserve zone information in file attachments</td>
-    <td style="vertical-align:top">Windows Components/Attachment Manager</td>
-    <td style="vertical-align:top">AM_MarkZoneOnSavedAtttachments</td>
-    <td style="vertical-align:top">AttachmentManager.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#attachmentmanager-hidezoneinfomechanism">AttachmentManager/HideZoneInfoMechanism</a></td>
-    <td style="vertical-align:top">Hide mechanisms to remove zone information</td>
-    <td style="vertical-align:top">Windows Components/Attachment Manager</td>
-    <td style="vertical-align:top">AM_RemoveZoneInfo</td>
-    <td style="vertical-align:top">AttachmentManager.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#attachmentmanager-notifyantivirusprograms">AttachmentManager/NotifyAntivirusPrograms</a></td>
-    <td style="vertical-align:top">Notify antivirus programs when opening attachments</td>
-    <td style="vertical-align:top">Windows Components/Attachment Manager</td>
-    <td style="vertical-align:top">AM_CallIOfficeAntiVirus</td>
-    <td style="vertical-align:top">AttachmentManager.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#autoplay-disallowautoplayfornonvolumedevices">Autoplay/DisallowAutoplayForNonVolumeDevices</a></td>
-    <td style="vertical-align:top">Disallow Autoplay for non-volume devices</td>
-    <td style="vertical-align:top">Windows Components/AutoPlay Policies</td>
-    <td style="vertical-align:top">NoAutoplayfornonVolume</td>
-    <td style="vertical-align:top">AutoPlay.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#autoplay-setdefaultautorunbehavior">Autoplay/SetDefaultAutoRunBehavior</a></td>
-    <td style="vertical-align:top">Set the default behavior for AutoRun</td>
-    <td style="vertical-align:top">Windows Components/AutoPlay Policies</td>
-    <td style="vertical-align:top">NoAutorun</td>
-    <td style="vertical-align:top">AutoPlay.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#autoplay-turnoffautoplay">Autoplay/TurnOffAutoPlay</a></td>
-    <td style="vertical-align:top">Turn off Autoplay</td>
-    <td style="vertical-align:top">Windows Components/AutoPlay Policies</td>
-    <td style="vertical-align:top">Autorun</td>
-    <td style="vertical-align:top">AutoPlay.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#connectivity-hardeneduncpaths">Connectivity/HardenedUNCPaths</a></td>
-    <td style="vertical-align:top">Hardened UNC Paths</td>
-    <td style="vertical-align:top">Network/Network Provider</td>
-    <td style="vertical-align:top">Pol_HardenedPaths</td>
-    <td style="vertical-align:top">networkprovider.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#credentialproviders-allowpinlogon">CredentialProviders/AllowPINLogon</a></td>
-    <td style="vertical-align:top">Turn on convenience PIN sign-in</td>
-    <td style="vertical-align:top">System/Logon</td>
-    <td style="vertical-align:top">AllowDomainPINLogon</td>
-    <td style="vertical-align:top">credentialproviders.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a></td>
-    <td style="vertical-align:top">Turn off picture password sign-in</td>
-    <td style="vertical-align:top">System/Logon</td>
-    <td style="vertical-align:top">BlockDomainPicturePassword</td>
-    <td style="vertical-align:top">credentialproviders.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#credentialsui-disablepasswordreveal">CredentialsUI/DisablePasswordReveal</a></td>
-    <td style="vertical-align:top">Do not display the password reveal button</td>
-    <td style="vertical-align:top">Windows Components/Credential User Interface</td>
-    <td style="vertical-align:top">DisablePasswordReveal</td>
-    <td style="vertical-align:top">credui.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#credentialsui-enumerateadministrators">CredentialsUI/EnumerateAdministrators</a></td>
-    <td style="vertical-align:top">Enumerate administrator accounts on elevation</td>
-    <td style="vertical-align:top">Windows Components/Credential User Interface</td>
-    <td style="vertical-align:top">EnumerateAdministrators</td>
-    <td style="vertical-align:top">credui.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#datausage-setcost3g">DataUsage/SetCost3G</a></td>
-    <td style="vertical-align:top">Set 3G Cost</td>
-    <td style="vertical-align:top">Network/WWAN Service/WWAN Media Cost</td>
-    <td style="vertical-align:top">SetCost3G</td>
-    <td style="vertical-align:top">wwansvc.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#datausage-setcost4g">DataUsage/SetCost4G</a></td>
-    <td style="vertical-align:top">Set 4G Cost</td>
-    <td style="vertical-align:top">Network/WWAN Service/WWAN Media Cost</td>
-    <td style="vertical-align:top">SetCost4G</td>
-    <td style="vertical-align:top">wwansvc.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">desktop.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a></td>
-    <td style="vertical-align:top">Prevent installation of devices that match any of these device IDs</td>
-    <td style="vertical-align:top">System/Device Installation/Device Installation Restrictions</td>
-    <td style="vertical-align:top">DeviceInstall_IDs_Deny</td>
-    <td style="vertical-align:top">deviceinstallation.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#deviceinstallation-preventinstallationofmatchingdevicesetupclasses">DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</a></td>
-    <td style="vertical-align:top">Prevent installation of devices using drivers that match these device setup classes</td>
-    <td style="vertical-align:top">System/Device Installation/Device Installation Restrictions</td>
-    <td style="vertical-align:top">DeviceInstall_Classes_Deny</td>
-    <td style="vertical-align:top">deviceinstallation.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#devicelock-preventlockscreenslideshow">DeviceLock/PreventLockScreenSlideShow</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">ControlPanelDisplay.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#errorreporting-customizeconsentsettings">ErrorReporting/CustomizeConsentSettings</a></td>
-    <td style="vertical-align:top">Customize consent settings</td>
-    <td style="vertical-align:top">Windows Components/Windows Error Reporting/Consent</td>
-    <td style="vertical-align:top">WerConsentCustomize_2</td>
-    <td style="vertical-align:top">ErrorReporting.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#errorreporting-disablewindowserrorreporting">ErrorReporting/DisableWindowsErrorReporting</a></td>
-    <td style="vertical-align:top">Disable Windows Error Reporting</td>
-    <td style="vertical-align:top">Windows Components/Windows Error Reporting</td>
-    <td style="vertical-align:top">WerDisable_2</td>
-    <td style="vertical-align:top">ErrorReporting.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#errorreporting-displayerrornotification">ErrorReporting/DisplayErrorNotification</a></td>
-    <td style="vertical-align:top">Display Error Notification</td>
-    <td style="vertical-align:top">Windows Components/Windows Error Reporting</td>
-    <td style="vertical-align:top">PCH_ShowUI</td>
-    <td style="vertical-align:top">ErrorReporting.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#errorreporting-donotsendadditionaldata">ErrorReporting/DoNotSendAdditionalData</a></td>
-    <td style="vertical-align:top">Do not send additional data</td>
-    <td style="vertical-align:top">Windows Components/Windows Error Reporting</td>
-    <td style="vertical-align:top">WerNoSecondLevelData_2</td>
-    <td style="vertical-align:top">ErrorReporting.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#errorreporting-preventcriticalerrordisplay">ErrorReporting/PreventCriticalErrorDisplay</a></td>
-    <td style="vertical-align:top">Prevent display of the user interface for critical errors</td>
-    <td style="vertical-align:top">Windows Components/Windows Error Reporting</td>
-    <td style="vertical-align:top">WerDoNotShowUI</td>
-    <td style="vertical-align:top">ErrorReporting.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#eventlogservice-controleventlogbehavior">EventLogService/ControlEventLogBehavior</a></td>
-    <td style="vertical-align:top">Control Event Log behavior when the log file reaches its maximum size</td>
-    <td style="vertical-align:top">Windows Components/Event Log Service/Application</td>
-    <td style="vertical-align:top">Channel_Log_Retention_1</td>
-    <td style="vertical-align:top">eventlog.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#eventlogservice-specifymaximumfilesizeapplicationlog">EventLogService/SpecifyMaximumFileSizeApplicationLog</a></td>
-    <td style="vertical-align:top">Specify the maximum log file size (KB)</td>
-    <td style="vertical-align:top">Windows Components/Event Log Service/Application</td>
-    <td style="vertical-align:top">Channel_LogMaxSize_1</td>
-    <td style="vertical-align:top">eventlog.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#eventlogservice-specifymaximumfilesizesecuritylog">EventLogService/SpecifyMaximumFileSizeSecurityLog</a></td>
-    <td style="vertical-align:top">Specify the maximum log file size (KB)</td>
-    <td style="vertical-align:top">Windows Components/Event Log Service/Security</td>
-    <td style="vertical-align:top">Channel_LogMaxSize_2</td>
-    <td style="vertical-align:top">eventlog.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#eventlogservice-specifymaximumfilesizesystemlog">EventLogService/SpecifyMaximumFileSizeSystemLog</a></td>
-    <td style="vertical-align:top">Specify the maximum log file size (KB)</td>
-    <td style="vertical-align:top">Windows Components/Event Log Service/System</td>
-    <td style="vertical-align:top">Channel_LogMaxSize_4</td>
-    <td style="vertical-align:top">eventlog.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-addsearchprovider">InternetExplorer/AddSearchProvider</a></td>
-    <td style="vertical-align:top">Add a specific list of search providers to the user's list of search providers</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">AddSearchProvider</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowactivexfiltering">InternetExplorer/AllowActiveXFiltering</a></td>
-    <td style="vertical-align:top">Turn on ActiveX Filtering</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">TurnOnActiveXFiltering</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowaddonlist">InternetExplorer/AllowAddOnList</a></td>
-    <td style="vertical-align:top">Add-on List</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Security Features/Add-on Management</td>
-    <td style="vertical-align:top">AddonManagement_AddOnList</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a></td>
-    <td style="vertical-align:top">Turn on Enhanced Protected Mode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Advanced Page</td>
-    <td style="vertical-align:top">Advanced_EnableEnhancedProtectedMode</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowenterprisemodefromtoolsmenu">InternetExplorer/AllowEnterpriseModeFromToolsMenu</a></td>
-    <td style="vertical-align:top">Let users turn on and use Enterprise Mode from the Tools menu</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">EnterpriseModeEnable</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowenterprisemodesitelist">InternetExplorer/AllowEnterpriseModeSiteList</a></td>
-    <td style="vertical-align:top">Use the Enterprise Mode IE website list</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">EnterpriseModeSiteList</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowinternetexplorer7policylist ">InternetExplorer/AllowInternetExplorer7PolicyList </a></td>
-    <td style="vertical-align:top">Use Policy List of Internet Explorer 7 sites</td>
-    <td style="vertical-align:top">CompatView_UsePolicyList</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowinternetexplorerstandardsmode">InternetExplorer/AllowInternetExplorerStandardsMode</a></td>
-    <td style="vertical-align:top">Turn on Internet Explorer Standards Mode for local intranet</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Compatibility View</td>
-    <td style="vertical-align:top">CompatView_IntranetSites</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowinternetzonetemplate">InternetExplorer/AllowInternetZoneTemplate</a></td>
-    <td style="vertical-align:top">Internet Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyInternetZoneTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowintranetzonetemplate">InternetExplorer/AllowIntranetZoneTemplate</a></td>
-    <td style="vertical-align:top">Intranet Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyIntranetZoneTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowlocalmachinezonetemplate">InternetExplorer/AllowLocalMachineZoneTemplate</a></td>
-    <td style="vertical-align:top">Local Machine Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyLocalMachineZoneTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowlockeddowninternetzonetemplate">InternetExplorer/AllowLockedDownInternetZoneTemplate</a></td>
-    <td style="vertical-align:top">Locked-Down Internet Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyInternetZoneLockdownTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowlockeddownintranetzonetemplate">InternetExplorer/AllowLockedDownIntranetZoneTemplate</a></td>
-    <td style="vertical-align:top">Locked-Down Intranet Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyIntranetZoneLockdownTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowlockeddownlocalmachinezonetemplate">InternetExplorer/AllowLockedDownLocalMachineZoneTemplate</a></td>
-    <td style="vertical-align:top">Locked-Down Local Machine Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyLocalMachineZoneLockdownTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowlockeddownrestrictedsiteszonetemplate">InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate</a></td>
-    <td style="vertical-align:top">Locked-Down Restricted Sites Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyRestrictedSitesZoneLockdownTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowonewordentry">InternetExplorer/AllowOneWordEntry</a></td>
-    <td style="vertical-align:top">Go to an intranet site for a one-word entry in the Address bar</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing</td>
-    <td style="vertical-align:top">UseIntranetSiteForOneWordEntry</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a></td>
-    <td style="vertical-align:top">Site to Zone Assignment List</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_Zonemaps</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowsuggestedsites">InternetExplorer/AllowSuggestedSites</a></td>
-    <td style="vertical-align:top">Turn on Suggested Sites</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">EnableSuggestedSites</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowtrustedsiteszonetemplate">InternetExplorer/AllowTrustedSitesZoneTemplate</a></td>
-    <td style="vertical-align:top">Trusted Sites Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyTrustedSitesZoneTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowslockeddowntrustedsiteszonetemplate">InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate</a></td>
-    <td style="vertical-align:top">Locked-Down Trusted Sites Zone Template</td>
-    <td style="vertical-align:top">IZ_PolicyTrustedSitesZoneLockdownTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-allowsrestrictedsiteszonetemplate">InternetExplorer/AllowsRestrictedSitesZoneTemplate</a></td>
-    <td style="vertical-align:top">Restricted Sites Zone Template</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_PolicyRestrictedSitesZoneTemplate</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a></td>
-    <td style="vertical-align:top">Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Security Features/Add-on Management</td>
-    <td style="vertical-align:top">DisableFlashInIE</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablecustomerexperienceimprovementprogramparticipation">InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation</a></td>
-    <td style="vertical-align:top">Prevent participation in the Customer Experience Improvement Program</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">SQM_DisableCEIP</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableenclosuredownloading">InternetExplorer/DisableEnclosureDownloading</a></td>
-    <td style="vertical-align:top">Prevent downloading of enclosures</td>
-    <td style="vertical-align:top">Windows Components/RSS Feeds</td>
-    <td style="vertical-align:top">Disable_Downloading_of_Enclosures</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableencryptionsupport">InternetExplorer/DisableEncryptionSupport</a></td>
-    <td style="vertical-align:top">Turn off encryption support</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Advanced Page</td>
-    <td style="vertical-align:top">Advanced_SetWinInetProtocols</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablefirstrunwizard">InternetExplorer/DisableFirstRunWizard</a></td>
-    <td style="vertical-align:top">Prevent running First Run wizard</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">NoFirstRunCustomise</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableflipaheadfeature">InternetExplorer/DisableFlipAheadFeature</a></td>
-    <td style="vertical-align:top">Turn off the flip ahead with page prediction feature</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Advanced Page</td>
-    <td style="vertical-align:top">Advanced_DisableFlipAhead</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a></td>
-    <td style="vertical-align:top">Disable changing home page settings</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">RestrictHomePage</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableproxychange">InternetExplorer/DisableProxyChange</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablesearchproviderchange">InternetExplorer/DisableSearchProviderChange</a></td>
-    <td style="vertical-align:top">Prevent changing the default search provider</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">NoSearchProvider</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disablesecondaryhomepagechange">InternetExplorer/DisableSecondaryHomePageChange</a></td>
-    <td style="vertical-align:top">Disable changing secondary home page settings</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">SecondaryHomePages</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-donotallowuserstoaddsites">InternetExplorer/DoNotAllowUsersToAddSites</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-donotallowuserstochangepolicies">InternetExplorer/DoNotAllowUsersToChangePolicies</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-donotblockoutdatedactivexcontrols">InternetExplorer/DoNotBlockOutdatedActiveXControls</a></td>
-    <td style="vertical-align:top">Turn off blocking of outdated ActiveX controls for Internet Explorer</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Security Features/Add-on Management</td>
-    <td style="vertical-align:top">VerMgmtDisable</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains">InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains</a></td>
-    <td style="vertical-align:top">Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Security Features/Add-on Management</td>
-    <td style="vertical-align:top">VerMgmtDomainAllowlist</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a></td>
-    <td style="vertical-align:top">Intranet Sites: Include all local (intranet) sites not listed in other zones</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_IncludeUnspecifiedLocalSites</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-includeallnetworkpaths">InternetExplorer/IncludeAllNetworkPaths</a></td>
-    <td style="vertical-align:top">Intranet Sites: Include all network paths (UNCs)</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page</td>
-    <td style="vertical-align:top">IZ_UNCAsIntranet</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowaccesstodatasources">InternetExplorer/InternetZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowfontdownloads">InternetExplorer/InternetZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowlessprivilegedsites">InternetExplorer/InternetZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallownetframeworkreliantcomponents">InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowscriptlets">InternetExplorer/InternetZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowsmartscreenie">InternetExplorer/InternetZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneallowuserdatapersistence">InternetExplorer/InternetZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzoneinitializeandscriptactivexcontrols">InternetExplorer/InternetZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_1</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowfontdownloads">InternetExplorer/IntranetZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowlessprivilegedsites">InternetExplorer/IntranetZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallownetframeworkreliantcomponents">InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowscriptlets">InternetExplorer/IntranetZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowsmartscreenie">InternetExplorer/IntranetZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneallowuserdatapersistence">InternetExplorer/IntranetZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_3</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowaccesstodatasources">InternetExplorer/LocalMachineZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowfontdownloads">InternetExplorer/LocalMachineZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowlessprivilegedsites">InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowscriptlets">InternetExplorer/LocalMachineZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowsmartscreenie">InternetExplorer/LocalMachineZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneallowuserdatapersistence">InternetExplorer/LocalMachineZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-localmachinezonenavigatewindowsandframes">InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_9</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowaccesstodatasources">InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowfontdownloads">InternetExplorer/LockedDownInternetZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites">InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowscriptlets">InternetExplorer/LockedDownInternetZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowsmartscreenie">InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneallowuserdatapersistence">InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowninternetzonenavigatewindowsandframes">InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_2</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowaccesstodatasources">InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowfontdownloads">InternetExplorer/LockedDownIntranetZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites">InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowscriptlets">InternetExplorer/LockedDownIntranetZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowsmartscreenie">InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneallowuserdatapersistence">InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownintranetzonenavigatewindowsandframes">InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_4</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources">InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads">InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites">InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowscriptlets">InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie">InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence">InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes">InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_10</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets">InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_8</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets">InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_6</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowaccesstodatasources">InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowfontdownloads">InternetExplorer/RestrictedSitesZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowlessprivilegedsites">InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowscriptlets">InternetExplorer/RestrictedSitesZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowsmartscreenie">InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneallowuserdatapersistence">InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_7</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-searchproviderlist">InternetExplorer/SearchProviderList</a></td>
-    <td style="vertical-align:top">Restrict search providers to a specific list</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer</td>
-    <td style="vertical-align:top">SpecificSearchProvider</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowaccesstodatasources">InternetExplorer/TrustedSitesZoneAllowAccessToDataSources</a></td>
-    <td style="vertical-align:top">Access data sources across domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyAccessDataSourcesAcrossDomains_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a></td>
-    <td style="vertical-align:top">Automatic prompting for ActiveX controls</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarActiveXURLaction_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a></td>
-    <td style="vertical-align:top">Automatic prompting for file downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNotificationBarDownloadURLaction_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowfontdownloads">InternetExplorer/TrustedSitesZoneAllowFontDownloads</a></td>
-    <td style="vertical-align:top">Allow font downloads</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyFontDownload_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowlessprivilegedsites">InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites</a></td>
-    <td style="vertical-align:top">Web sites in less privileged Web content zones can navigate into this zone</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyZoneElevationURLaction_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents</a></td>
-    <td style="vertical-align:top">Run .NET Framework-reliant components not signed with Authenticode</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUnsignedFrameworkComponentsURLaction_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowscriptlets">InternetExplorer/TrustedSitesZoneAllowScriptlets</a></td>
-    <td style="vertical-align:top">Allow scriptlets</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_AllowScriptlets_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowsmartscreenie">InternetExplorer/TrustedSitesZoneAllowSmartScreenIE</a></td>
-    <td style="vertical-align:top">Turn on SmartScreen Filter scan</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_Policy_Phishing_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneallowuserdatapersistence">InternetExplorer/TrustedSitesZoneAllowUserDataPersistence</a></td>
-    <td style="vertical-align:top">Userdata persistence</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyUserdataPersistence_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a></td>
-    <td style="vertical-align:top">Initialize and script ActiveX controls not marked as safe</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyScriptActiveXNotMarkedSafe_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#internetexplorer-trustedsiteszonenavigatewindowsandframes">InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames</a></td>
-    <td style="vertical-align:top">Navigate windows and frames across different domains</td>
-    <td style="vertical-align:top">Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone</td>
-    <td style="vertical-align:top">IZ_PolicyNavigateSubframesAcrossDomains_5</td>
-    <td style="vertical-align:top">inetres.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a></td>
-    <td style="vertical-align:top">&nbsp;</td>
-    <td style="vertical-align:top">ForestSearch</td>
-    <td style="vertical-align:top">Kerberos.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a></td>
-    <td style="vertical-align:top">Kerberos client support for claims, compound authentication and Kerberos armoring</td>
-    <td style="vertical-align:top">System/Kerberos</td>
-    <td style="vertical-align:top">EnableCbacAndArmor</td>
-    <td style="vertical-align:top">Kerberos.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a></td>
-    <td style="vertical-align:top">Fail authentication requests when Kerberos armoring is not available</td>
-    <td style="vertical-align:top">System/Kerberos</td>
-    <td style="vertical-align:top">ClientRequireFast</td>
-    <td style="vertical-align:top">Kerberos.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a></td>
-    <td style="vertical-align:top">Require strict KDC validation</td>
-    <td style="vertical-align:top">System/Kerberos</td>
-    <td style="vertical-align:top">ValidateKDC</td>
-    <td style="vertical-align:top">Kerberos.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a></td>
-    <td style="vertical-align:top">Set maximum Kerberos SSPI context token buffer size</td>
-    <td style="vertical-align:top">System/Kerberos</td>
-    <td style="vertical-align:top">MaxTokenSize</td>
-    <td style="vertical-align:top">Kerberos.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#power-allowstandbywhensleepingpluggedin">Power/AllowStandbyWhenSleepingPluggedIn</a></td>
-    <td style="vertical-align:top">Allow standby states (S1-S3) when sleeping (plugged in)</td>
-    <td style="vertical-align:top">System/Power Management/Sleep Settings</td>
-    <td style="vertical-align:top">AllowStandbyStatesAC_2</td>
-    <td style="vertical-align:top">power.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#power-requirepasswordwhencomputerwakesonbattery">Power/RequirePasswordWhenComputerWakesOnBattery</a></td>
-    <td style="vertical-align:top">Require a password when a computer wakes (on battery)</td>
-    <td style="vertical-align:top">System/Power Management/Sleep Settings</td>
-    <td style="vertical-align:top">DCPromptForPasswordOnResume_2</td>
-    <td style="vertical-align:top">power.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a></td>
-    <td style="vertical-align:top">Require a password when a computer wakes (plugged in)</td>
-    <td style="vertical-align:top">System/Power Management/Sleep Settings</td>
-    <td style="vertical-align:top">ACPromptForPasswordOnResume_2</td>
-    <td style="vertical-align:top">power.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a></td>
-    <td style="vertical-align:top">Point and Print Restrictions</td>
-    <td style="vertical-align:top">Printers</td>
-    <td style="vertical-align:top">PointAndPrint_Restrictions_Win7</td>
-    <td style="vertical-align:top">Printing.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#printers-pointandprintrestrictions_user">Printers/PointAndPrintRestrictions_User</a></td>
-    <td style="vertical-align:top">Point and Print Restrictions</td>
-    <td style="vertical-align:top">PointAndPrint_Restrictions</td>
-    <td style="vertical-align:top">Printing.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#printers-publishprinters">Printers/PublishPrinters</a></td>
-    <td style="vertical-align:top">Allow printers to be published</td>
-    <td style="vertical-align:top">Printers</td>
-    <td style="vertical-align:top">PublishPrinters</td>
-    <td style="vertical-align:top">Printing2.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteassistance-customizewarningmessages">RemoteAssistance/CustomizeWarningMessages</a></td>
-    <td style="vertical-align:top">Customize warning messages</td>
-    <td style="vertical-align:top">System/Remote Assistance</td>
-    <td style="vertical-align:top">RA_Options</td>
-    <td style="vertical-align:top">remoteassistance.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteassistance-sessionlogging">RemoteAssistance/SessionLogging</a></td>
-    <td style="vertical-align:top">Turn on session logging</td>
-    <td style="vertical-align:top">System/Remote Assistance</td>
-    <td style="vertical-align:top">RA_Logging</td>
-    <td style="vertical-align:top">remoteassistance.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteassistance-solicitedremoteassistance">RemoteAssistance/SolicitedRemoteAssistance</a></td>
-    <td style="vertical-align:top">Configure Solicited Remote Assistance</td>
-    <td style="vertical-align:top">System/Remote Assistance</td>
-    <td style="vertical-align:top">RA_Solicit</td>
-    <td style="vertical-align:top">remoteassistance.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteassistance-unsolicitedremoteassistance">RemoteAssistance/UnsolicitedRemoteAssistance</a></td>
-    <td style="vertical-align:top">Configure Offer Remote Assistance</td>
-    <td style="vertical-align:top">RA_Unsolicit</td>
-    <td style="vertical-align:top">remoteassistance.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-allowuserstoconnectremotely">RemoteDesktopServices/AllowUsersToConnectRemotely</a></td>
-    <td style="vertical-align:top">Allow users to connect remotely by using Remote Desktop Services</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections</td>
-    <td style="vertical-align:top">TS_DISABLE_CONNECTIONS</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-clientconnectionencryptionlevel">RemoteDesktopServices/ClientConnectionEncryptionLevel</a></td>
-    <td style="vertical-align:top">Set client connection encryption level</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security</td>
-    <td style="vertical-align:top">TS_ENCRYPTION_POLICY</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-donotallowdriveredirection">RemoteDesktopServices/DoNotAllowDriveRedirection</a></td>
-    <td style="vertical-align:top">Do not allow drive redirection</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection</td>
-    <td style="vertical-align:top">TS_CLIENT_DRIVE_M</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a></td>
-    <td style="vertical-align:top">Do not allow passwords to be saved</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Connection Client</td>
-    <td style="vertical-align:top">TS_CLIENT_DISABLE_PASSWORD_SAVING_2</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a></td>
-    <td style="vertical-align:top">Always prompt for password upon connection</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security</td>
-    <td style="vertical-align:top">TS_PASSWORD</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remotedesktopservices-requiresecurerpccommunication">RemoteDesktopServices/RequireSecureRPCCommunication</a></td>
-    <td style="vertical-align:top">Require secure RPC communication</td>
-    <td style="vertical-align:top">Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security</td>
-    <td style="vertical-align:top">TS_RPC_ENCRYPTION</td>
-    <td style="vertical-align:top">terminalserver.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteprocedurecall-rpcendpointmapperclientauthentication">RemoteProcedureCall/RPCEndpointMapperClientAuthentication</a></td>
-    <td style="vertical-align:top">Enable RPC Endpoint Mapper Client Authentication</td>
-    <td style="vertical-align:top">System/Remote Procedure Call</td>
-    <td style="vertical-align:top">RpcEnableAuthEpResolution</td>
-    <td style="vertical-align:top">rpc.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#remoteprocedurecall-restrictunauthenticatedrpcclients">RemoteProcedureCall/RestrictUnauthenticatedRPCClients</a></td>
-    <td style="vertical-align:top">Restrict Unauthenticated RPC clients</td>
-    <td style="vertical-align:top">System/Remote Procedure Call</td>
-    <td style="vertical-align:top">RpcRestrictRemoteClients</td>
-    <td style="vertical-align:top">rpc.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a></td>
-    <td style="vertical-align:top">Do not allow Windows to activate Enhanced Storage devices</td>
-    <td style="vertical-align:top">System/Enhanced Storage Access</td>
-    <td style="vertical-align:top">TCGSecurityActivationDisabled</td>
-    <td style="vertical-align:top">enhancedstorage.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#system-bootstartdriverinitialization">System/BootStartDriverInitialization</a></td>
-    <td style="vertical-align:top">Boot-Start Driver Initialization Policy</td>
-    <td style="vertical-align:top">System/Early Launch Antimalware</td>
-    <td style="vertical-align:top">POL_DriverLoadPolicy_Name</td>
-    <td style="vertical-align:top">earlylauncham.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#system-disablesystemrestore">System/DisableSystemRestore</a></td>
-    <td style="vertical-align:top">Turn off System Restore</td>
-    <td style="vertical-align:top">System/System Restore</td>
-    <td style="vertical-align:top">SR_DisableSR</td>
-    <td style="vertical-align:top">systemrestore.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a></td>
-    <td style="vertical-align:top">Turn off app notifications on the lock screen</td>
-    <td style="vertical-align:top">System/Logon</td>
-    <td style="vertical-align:top">DisableLockScreenAppNotifications</td>
-    <td style="vertical-align:top">logon.admx</td>
-  </tr>
-  <tr>
-    <td style="vertical-align:top"><a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a></td>
-    <td style="vertical-align:top">Do not display network selection UI</td>
-    <td style="vertical-align:top">System/Logon</td>
-    <td style="vertical-align:top">DontDisplayNetworkSelectionUI</td>
-    <td style="vertical-align:top">logon.admx</td>
-  </tr>
-</table>
-<!-- ADMX-TABLE-END -->
-
-## <a href="" id="list-of--areaname---policyname-"></a>List of &lt;AreaName&gt;/&lt;PolicyName&gt;
-
-<!-- ADMX-DESCRIPTIONS-START -->
-<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**
-
-<p style="margin-left: 20px">This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. </p>
-
-<p style="margin-left: 20px">If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. 
-      
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. </p>
-
-<p style="margin-left: 20px">Note: Wild card characters cannot be used when specifying the host URLs.
-</p>
-
-<a href="" id="appvirtualization-allowappvclient"></a>**AppVirtualization/AllowAppVClient**
-
-<p style="margin-left: 20px">This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.</p>
-
-<a href="" id="appvirtualization-allowdynamicvirtualization"></a>**AppVirtualization/AllowDynamicVirtualization**
-
-<p style="margin-left: 20px">Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.</p>
-
-<a href="" id="appvirtualization-allowpackagecleanup"></a>**AppVirtualization/AllowPackageCleanup**
-
-<p style="margin-left: 20px">N/A</p>
-
-<a href="" id="appvirtualization-allowpackagescripts"></a>**AppVirtualization/AllowPackageScripts**
-
-<p style="margin-left: 20px">Enables scripts defined in the package manifest of configuration files that should run.</p>
-
-<a href="" id="appvirtualization-allowpublishingrefreshux"></a>**AppVirtualization/AllowPublishingRefreshUX**
-
-<p style="margin-left: 20px">Enables a UX to display to the user when a publishing refresh is performed on the client.</p>
-
-<a href="" id="appvirtualization-allowreportingserver"></a>**AppVirtualization/AllowReportingServer**
-
-<p style="margin-left: 20px">Reporting Server URL: Displays the URL of reporting server.</p>
-
-<p style="margin-left: 20px">      Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
-      
-      Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
-      
-      Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
-      
-      Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.</p>
-
-<p style="margin-left: 20px">      Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The  default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-      </p>
-
-<a href="" id="appvirtualization-allowroamingfileexclusions"></a>**AppVirtualization/AllowRoamingFileExclusions**
-
-<p style="margin-left: 20px">Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.</p>
-
-<a href="" id="appvirtualization-allowroamingregistryexclusions"></a>**AppVirtualization/AllowRoamingRegistryExclusions**
-
-<p style="margin-left: 20px">Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.</p>
-
-<a href="" id="appvirtualization-allowstreamingautoload"></a>**AppVirtualization/AllowStreamingAutoload**
-
-<p style="margin-left: 20px">Specifies how new packages should be loaded automatically by App-V on a specific computer.</p>
-
-<a href="" id="appvirtualization-clientcoexistenceallowmigrationmode"></a>**AppVirtualization/ClientCoexistenceAllowMigrationmode**
-
-<p style="margin-left: 20px">Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.</p>
-
-<a href="" id="appvirtualization-integrationallowrootglobal"></a>**AppVirtualization/IntegrationAllowRootGlobal**
-
-<p style="margin-left: 20px">Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.</p>
-
-<a href="" id="appvirtualization-integrationallowrootuser"></a>**AppVirtualization/IntegrationAllowRootUser**
-
-<p style="margin-left: 20px">Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.</p>
-
-<a href="" id="appvirtualization-publishingallowserver1"></a>**AppVirtualization/PublishingAllowServer1**
-
-<p style="margin-left: 20px">      Publishing Server Display Name: Displays the name of publishing server.
-      
-      Publishing Server URL: Displays the URL of publishing server.
-      
-      Global Publishing Refresh: Enables global publishing refresh (Boolean).
-      
-      Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-      
-      Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      
-      User Publishing Refresh: Enables user publishing refresh (Boolean).
-      
-      User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-      
-      User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      </p>
-
-<a href="" id="appvirtualization-publishingallowserver2"></a>**AppVirtualization/PublishingAllowServer2**
-
-<p style="margin-left: 20px">      Publishing Server Display Name: Displays the name of publishing server.
-      
-      Publishing Server URL: Displays the URL of publishing server.
-      
-      Global Publishing Refresh: Enables global publishing refresh (Boolean).
-      
-      Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-      
-      Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      
-      User Publishing Refresh: Enables user publishing refresh (Boolean).
-      
-      User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-      
-      User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      </p>
-
-<a href="" id="appvirtualization-publishingallowserver3"></a>**AppVirtualization/PublishingAllowServer3**
-
-<p style="margin-left: 20px">      Publishing Server Display Name: Displays the name of publishing server.
-      
-      Publishing Server URL: Displays the URL of publishing server.
-      
-      Global Publishing Refresh: Enables global publishing refresh (Boolean).
-      
-      Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-      
-      Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      
-      User Publishing Refresh: Enables user publishing refresh (Boolean).
-      
-      User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-      
-      User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      </p>
-
-<a href="" id="appvirtualization-publishingallowserver4"></a>**AppVirtualization/PublishingAllowServer4**
-
-<p style="margin-left: 20px">      Publishing Server Display Name: Displays the name of publishing server.
-      
-      Publishing Server URL: Displays the URL of publishing server.
-      
-      Global Publishing Refresh: Enables global publishing refresh (Boolean).
-      
-      Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-      
-      Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      
-      User Publishing Refresh: Enables user publishing refresh (Boolean).
-      
-      User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-      
-      User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      </p>
-
-<a href="" id="appvirtualization-publishingallowserver5"></a>**AppVirtualization/PublishingAllowServer5**
-
-<p style="margin-left: 20px">      Publishing Server Display Name: Displays the name of publishing server.
-      
-      Publishing Server URL: Displays the URL of publishing server.
-      
-      Global Publishing Refresh: Enables global publishing refresh (Boolean).
-      
-      Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-      
-      Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      
-      User Publishing Refresh: Enables user publishing refresh (Boolean).
-      
-      User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-      
-      User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-      
-      User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-      </p>
-
-<a href="" id="appvirtualization-streamingallowcertificatefilterforclient_ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
-
-<p style="margin-left: 20px">Specifies the path to a valid certificate in the certificate store.</p>
-
-<a href="" id="appvirtualization-streamingallowhighcostlaunch"></a>**AppVirtualization/StreamingAllowHighCostLaunch**
-
-<p style="margin-left: 20px">This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).</p>
-
-<a href="" id="appvirtualization-streamingallowlocationprovider"></a>**AppVirtualization/StreamingAllowLocationProvider**
-
-<p style="margin-left: 20px">Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.</p>
-
-<a href="" id="appvirtualization-streamingallowpackageinstallationroot"></a>**AppVirtualization/StreamingAllowPackageInstallationRoot**
-
-<p style="margin-left: 20px">Specifies directory where all new applications and updates will be installed.</p>
-
-<a href="" id="appvirtualization-streamingallowpackagesourceroot"></a>**AppVirtualization/StreamingAllowPackageSourceRoot**
-
-<p style="margin-left: 20px">Overrides source location for downloading package content.</p>
-
-<a href="" id="appvirtualization-streamingallowreestablishmentinterval"></a>**AppVirtualization/StreamingAllowReestablishmentInterval**
-
-<p style="margin-left: 20px">Specifies the number of seconds between attempts to reestablish a dropped session.</p>
-
-<a href="" id="appvirtualization-streamingallowreestablishmentretries"></a>**AppVirtualization/StreamingAllowReestablishmentRetries**
-
-<p style="margin-left: 20px">Specifies the number of times to retry a dropped session.</p>
-
-<a href="" id="appvirtualization-streamingsharedcontentstoremode"></a>**AppVirtualization/StreamingSharedContentStoreMode**
-
-<p style="margin-left: 20px">Specifies that streamed package contents will be not be saved to the local hard disk.</p>
-
-<a href="" id="appvirtualization-streamingsupportbranchcache"></a>**AppVirtualization/StreamingSupportBranchCache**
-
-<p style="margin-left: 20px">If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache</p>
-
-<a href="" id="appvirtualization-streamingverifycertificaterevocationlist"></a>**AppVirtualization/StreamingVerifyCertificateRevocationList**
-
-<p style="margin-left: 20px">Verifies Server certificate revocation status before streaming using HTTPS.</p>
-
-<a href="" id="appvirtualization-virtualcomponentsallowlist"></a>**AppVirtualization/VirtualComponentsAllowList**
-
-<p style="margin-left: 20px">Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.</p>
-
-<a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows does not mark file attachments with their zone information.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Windows marks file attachments with their zone information.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Windows marks file attachments with their zone information.</p>
-
-<a href="" id="attachmentmanager-hidezoneinfomechanism"></a>**AttachmentManager/HideZoneInfoMechanism**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows hides the check box and Unblock button.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Windows shows the check box and Unblock button.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Windows hides the check box and Unblock button.</p>
-
-<a href="" id="attachmentmanager-notifyantivirusprograms"></a>**AttachmentManager/NotifyAntivirusPrograms**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. </p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.</p>
-
-<a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**
-
-<p style="margin-left: 20px">This policy setting disallows AutoPlay for MTP devices like cameras or phones.</p>
-
-<p style="margin-left: 20px">          If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.</p>
-
-<p style="margin-left: 20px">          If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.</p>
-
-<a href="" id="autoplay-setdefaultautorunbehavior"></a>**Autoplay/SetDefaultAutoRunBehavior**
-
-<p style="margin-left: 20px">This policy setting sets the default behavior for Autorun commands.</p>
-
-<p style="margin-left: 20px">          Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.</p>
-
-<p style="margin-left: 20px">          Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.</p>
-
-<p style="margin-left: 20px">          This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.</p>
-
-<p style="margin-left: 20px">          If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:</p>
-
-<p style="margin-left: 20px">          a) Completely disable autorun commands, or
-          b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.</p>
-
-<p style="margin-left: 20px">          If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.</p>
-
-<a href="" id="autoplay-turnoffautoplay"></a>**Autoplay/TurnOffAutoPlay**
-
-<p style="margin-left: 20px">This policy setting allows you to turn off the Autoplay feature.</p>
-
-<p style="margin-left: 20px">          Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.</p>
-
-<p style="margin-left: 20px">          Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.</p>
-
-<p style="margin-left: 20px">          Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.</p>
-
-<p style="margin-left: 20px">          If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.</p>
-
-<p style="margin-left: 20px">          This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.</p>
-
-<p style="margin-left: 20px">          If you disable or do not configure this policy setting, AutoPlay is enabled.</p>
-
-<p style="margin-left: 20px">          Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.</p>
-
-<a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**
-
-<p style="margin-left: 20px">This policy setting configures secure access to UNC paths.</p>
-
-<p style="margin-left: 20px">If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-</p>
-
-<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**
-
-<p style="margin-left: 20px">This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. </p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.</p>
-
-<p style="margin-left: 20px">Note that the user's domain password will be cached in the system vault when using this feature.</p>
-
-<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword**
-
-<p style="margin-left: 20px">This policy setting allows you to control whether a domain user can sign in using a picture password.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, a domain user can't set up or sign in with a picture password. </p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, a domain user can set up and use a picture password.</p>
-
-<p style="margin-left: 20px">Note that the user's domain password will be cached in the system vault when using this feature.</p>
-
-<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**
-
-<p style="margin-left: 20px">This policy setting allows you to configure the display of the password reveal button in password entry user experiences.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.</p>
-
-<p style="margin-left: 20px">By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.</p>
-
-<p style="margin-left: 20px">The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.</p>
-
-<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators**
-
-<p style="margin-left: 20px">This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users will always be required to type a user name and password to elevate.</p>
-
-<a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**
-
-<p style="margin-left: 20px">This policy setting configures the cost of 3G connections on the local machine.</p>
-
-<p style="margin-left: 20px">If this policy setting is enabled, a drop-down list box presenting possible cost values will be active.  Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:</p>
-
-<p style="margin-left: 20px">- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. </p>
-
-<p style="margin-left: 20px">- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. </p>
-
-<p style="margin-left: 20px">- Variable: This connection is costed on a per byte basis.</p>
-
-<p style="margin-left: 20px">If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
-      </p>
-
-<a href="" id="datausage-setcost4g"></a>**DataUsage/SetCost4G**
-
-<p style="margin-left: 20px">This policy setting configures the cost of 4G connections on the local machine.      </p>
-
-<p style="margin-left: 20px">If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:</p>
-
-<p style="margin-left: 20px">- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. </p>
-
-<p style="margin-left: 20px">- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. </p>
-
-<p style="margin-left: 20px">- Variable: This connection is costed on a per byte basis.</p>
-
-<p style="margin-left: 20px">If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-      </p>
-
-<a href="" id="deviceinstallation-preventinstallationofmatchingdeviceids"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
-
-<p style="margin-left: 20px">This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.</p>
-
-<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
-
-<p style="margin-left: 20px">This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
- 
-If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.</p>
-
-<a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**
-
-<p style="margin-left: 20px">This policy setting determines the consent behavior of Windows Error Reporting for specific event types.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.</p>
-
-<p style="margin-left: 20px">- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.</p>
-
-<p style="margin-left: 20px">- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.</p>
-
-<p style="margin-left: 20px">- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.</p>
-
-<p style="margin-left: 20px">- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.</p>
-
-<p style="margin-left: 20px">- 4 (Send all data): Any data requested by Microsoft is sent automatically.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.</p>
-
-<a href="" id="errorreporting-disablewindowserrorreporting"></a>**ErrorReporting/DisableWindowsErrorReporting**
-
-<p style="margin-left: 20px">This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.</p>
-
-<a href="" id="errorreporting-displayerrornotification"></a>**ErrorReporting/DisplayErrorNotification**
-
-<p style="margin-left: 20px">This policy setting controls whether users are shown an error dialog box that lets them report an error.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.</p>
-
-<p style="margin-left: 20px">See also the Configure Error Reporting policy setting.</p>
-
-<a href="" id="errorreporting-donotsendadditionaldata"></a>**ErrorReporting/DoNotSendAdditionalData**
-
-<p style="margin-left: 20px">This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.</p>
-
-<a href="" id="errorreporting-preventcriticalerrordisplay"></a>**ErrorReporting/PreventCriticalErrorDisplay**
-
-<p style="margin-left: 20px">This policy setting prevents the display of the user interface for critical errors.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.</p>
-
-<a href="" id="eventlogservice-controleventlogbehavior"></a>**EventLogService/ControlEventLogBehavior**
-
-<p style="margin-left: 20px">This policy setting controls Event Log behavior when the log file reaches its maximum size.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.</p>
-
-<p style="margin-left: 20px">Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.</p>
-
-<a href="" id="eventlogservice-specifymaximumfilesizeapplicationlog"></a>**EventLogService/SpecifyMaximumFileSizeApplicationLog**
-
-<p style="margin-left: 20px">This policy setting specifies the maximum size of the log file in kilobytes.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.</p>
-
-<a href="" id="eventlogservice-specifymaximumfilesizesecuritylog"></a>**EventLogService/SpecifyMaximumFileSizeSecurityLog**
-
-<p style="margin-left: 20px">This policy setting specifies the maximum size of the log file in kilobytes.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.</p>
-
-<a href="" id="eventlogservice-specifymaximumfilesizesystemlog"></a>**EventLogService/SpecifyMaximumFileSizeSystemLog**
-
-<p style="margin-left: 20px">This policy setting specifies the maximum size of the log file in kilobytes.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.</p>
-
-<a href="" id="internetexplorer-addsearchprovider"></a>**InternetExplorer/AddSearchProvider**
-
-<p style="margin-left: 20px">This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.</p>
-
-<a href="" id="internetexplorer-allowactivexfiltering"></a>**InternetExplorer/AllowActiveXFiltering**
-
-<p style="margin-left: 20px">This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.</p>
-
-<a href="" id="internetexplorer-allowaddonlist"></a>**InternetExplorer/AllowAddOnList**
-
-<p style="margin-left: 20px">This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.</p>
-
-<p style="margin-left: 20px">This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:</p>
-
-<p style="margin-left: 20px">Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list.  The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.</p>
-
-<p style="margin-left: 20px">Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.</p>
-
-<a href="" id="internetexplorer-allowenhancedprotectedmode"></a>**InternetExplorer/AllowEnhancedProtectedMode**
-
-<p style="margin-left: 20px">Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.</p>
-
-<a href="" id="internetexplorer-allowenterprisemodefromtoolsmenu"></a>**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
-
-<p style="margin-left: 20px">This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.</p>
-
-<p style="margin-left: 20px">If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.</p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.</p>
-
-<a href="" id="internetexplorer-allowenterprisemodesitelist"></a>**InternetExplorer/AllowEnterpriseModeSiteList**
-
-<p style="margin-left: 20px">This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.</p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.</p>
-
-<a href="" id="internetexplorer-allowinternetexplorer7policylist "></a>**InternetExplorer/AllowInternetExplorer7PolicyList **
-
-<p style="margin-left: 20px">This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can add and remove sites from the list.</p>
-
-<a href="" id="internetexplorer-allowinternetexplorerstandardsmode"></a>**InternetExplorer/AllowInternetExplorerStandardsMode**
-
-<p style="margin-left: 20px">This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.</p>
-
-<a href="" id="internetexplorer-allowinternetzonetemplate"></a>**InternetExplorer/AllowInternetZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowintranetzonetemplate"></a>**InternetExplorer/AllowIntranetZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowlocalmachinezonetemplate"></a>**InternetExplorer/AllowLocalMachineZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowlockeddowninternetzonetemplate"></a>**InternetExplorer/AllowLockedDownInternetZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowlockeddownintranetzonetemplate"></a>**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowlockeddownlocalmachinezonetemplate"></a>**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowlockeddownrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowonewordentry"></a>**InternetExplorer/AllowOneWordEntry**
-
-<p style="margin-left: 20px">This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.</p>
-
-<a href="" id="internetexplorer-allowsitetozoneassignmentlist"></a>**InternetExplorer/AllowSiteToZoneAssignmentList**
-
-<p style="margin-left: 20px">This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.</p>
-
-<p style="margin-left: 20px">Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:</p>
-
-<p style="margin-left: 20px">Valuename  A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.</p>
-
-<p style="margin-left: 20px">Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy, users may choose their own site-to-zone assignments.</p>
-
-<a href="" id="internetexplorer-allowsuggestedsites"></a>**InternetExplorer/AllowSuggestedSites**
-
-<p style="margin-left: 20px">This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the entry points and functionality associated with this feature are turned off.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.</p>
-
-<a href="" id="internetexplorer-allowtrustedsiteszonetemplate"></a>**InternetExplorer/AllowTrustedSitesZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowslockeddowntrustedsiteszonetemplate"></a>**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-allowsrestrictedsiteszonetemplate"></a>**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
-
-<p style="margin-left: 20px">This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.</p>
-
-<p style="margin-left: 20px">If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.</p>
-
-<p style="margin-left: 20px">If you disable this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">If you do not configure this template policy setting, no security level is configured.</p>
-
-<p style="margin-left: 20px">Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.</p>
-
-<p style="margin-left: 20px">Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.</p>
-
-<a href="" id="internetexplorer-disableadobeflash"></a>**InternetExplorer/DisableAdobeFlash**
-
-<p style="margin-left: 20px">This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.</p>
-
-<p style="margin-left: 20px">If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.</p>
-
-<p style="margin-left: 20px">Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.</p>
-
-<a href="" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation"></a>**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
-
-<p style="margin-left: 20px">This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose to participate in the CEIP.</p>
-
-<a href="" id="internetexplorer-disableenclosuredownloading"></a>**InternetExplorer/DisableEnclosureDownloading**
-
-<p style="margin-left: 20px">This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.</p>
-
-<a href="" id="internetexplorer-disableencryptionsupport"></a>**InternetExplorer/DisableEncryptionSupport**
-
-<p style="margin-left: 20px">This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.</p>
-
-<p style="margin-left: 20px">Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.</p>
-
-<a href="" id="internetexplorer-disablefirstrunwizard"></a>**InternetExplorer/DisableFirstRunWizard**
-
-<p style="margin-left: 20px">This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you must make one of the following choices:
-     Skip the First Run wizard, and go directly to the user's home page.
-     Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.</p>
-
-<p style="margin-left: 20px">Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.</p>
-
-<a href="" id="internetexplorer-disableflipaheadfeature"></a>**InternetExplorer/DisableFlipAheadFeature**
-
-<p style="margin-left: 20px">This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.</p>
-
-<p style="margin-left: 20px">Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.</p>
-
-<p style="margin-left: 20px">If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.</p>
-
-<a href="" id="internetexplorer-disablehomepagechange"></a>**InternetExplorer/DisableHomePageChange**
-
-<p style="margin-left: 20px">The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.</p>
-
-<a href="" id="internetexplorer-disablesearchproviderchange"></a>**InternetExplorer/DisableSearchProviderChange**
-
-<p style="margin-left: 20px">This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user cannot change the default search provider.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can change the default search provider.</p>
-
-<a href="" id="internetexplorer-disablesecondaryhomepagechange"></a>**InternetExplorer/DisableSecondaryHomePageChange**
-
-<p style="margin-left: 20px">Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can add secondary home pages.</p>
-
-<p style="margin-left: 20px">Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.</p>
-
-<a href="" id="internetexplorer-donotblockoutdatedactivexcontrols"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControls**
-
-<p style="margin-left: 20px">This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.</p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.</p>
-
-<p style="margin-left: 20px">For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.</p>
-
-<a href="" id="internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains"></a>**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
-
-<p style="margin-left: 20px">This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:</p>
-
-<p style="margin-left: 20px">1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
-2. "hostname". For example, if you want to include http://example, use "example"
-3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"</p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.</p>
-
-<p style="margin-left: 20px">For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.</p>
-
-<a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**
-
-<p style="margin-left: 20px">This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.</p>
-
-<a href="" id="internetexplorer-includeallnetworkpaths"></a>**InternetExplorer/IncludeAllNetworkPaths**
-
-<p style="margin-left: 20px">This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, all network paths are mapped into the Intranet Zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.</p>
-
-<a href="" id="internetexplorer-internetzoneallowaccesstodatasources"></a>**InternetExplorer/InternetZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-internetzoneallowfontdownloads"></a>**InternetExplorer/InternetZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-internetzoneallowlessprivilegedsites"></a>**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.</p>
-
-<a href="" id="internetexplorer-internetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-internetzoneallowscriptlets"></a>**InternetExplorer/InternetZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-internetzoneallowsmartscreenie"></a>**InternetExplorer/InternetZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-internetzoneallowuserdatapersistence"></a>**InternetExplorer/InternetZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-internetzonenavigatewindowsandframes"></a>**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowaccesstodatasources"></a>**InternetExplorer/IntranetZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowfontdownloads"></a>**InternetExplorer/IntranetZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowlessprivilegedsites"></a>**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.</p>
-
-<a href="" id="internetexplorer-intranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowscriptlets"></a>**InternetExplorer/IntranetZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowsmartscreenie"></a>**InternetExplorer/IntranetZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-intranetzoneallowuserdatapersistence"></a>**InternetExplorer/IntranetZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-intranetzonenavigatewindowsandframes"></a>**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowfontdownloads"></a>**InternetExplorer/LocalMachineZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowscriptlets"></a>**InternetExplorer/LocalMachineZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowsmartscreenie"></a>**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-localmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-localmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowscriptlets"></a>**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowfontdownloads"></a>**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowscriptlets"></a>**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowsmartscreenie"></a>**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-lockeddownintranetzonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowfontdownloads"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowscriptlets"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowscriptlets"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowfontdownloads"></a>**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowscriptlets"></a>**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowsmartscreenie"></a>**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.</p>
-
-<a href="" id="internetexplorer-searchproviderlist"></a>**InternetExplorer/SearchProviderList**
-
-<p style="margin-left: 20px">This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the user can configure his or her list of search providers.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowaccesstodatasources"></a>**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-<p style="margin-left: 20px">This policy setting manages whether users will be automatically prompted for ActiveX control installations.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads"></a>**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-<p style="margin-left: 20px">This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.</p>
-
-<p style="margin-left: 20px">If you enable this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowfontdownloads"></a>**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether pages of the zone may download HTML fonts.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, HTML fonts are prevented from downloading.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, HTML fonts can be downloaded automatically.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowlessprivilegedsites"></a>**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.  The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents"></a>**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, Internet Explorer will not execute unsigned managed components.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowscriptlets"></a>**InternetExplorer/TrustedSitesZoneAllowScriptlets**
-
-<p style="margin-left: 20px">This policy setting allows you to manage whether the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the user can run scriptlets.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user cannot run scriptlets.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can enable or disable scriptlets.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowsmartscreenie"></a>**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
-
-<p style="margin-left: 20px">This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.</p>
-
-<p style="margin-left: 20px">Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneallowuserdatapersistence"></a>**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.</p>
-
-<a href="" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols"></a>**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
-
-<p style="margin-left: 20px">This policy setting allows you to manage ActiveX controls not marked as safe.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.</p>
-
-<a href="" id="internetexplorer-trustedsiteszonenavigatewindowsandframes"></a>**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
-
-<p style="margin-left: 20px">This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot open windows and frames to access applications from different domains.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.</p>
-
-<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
-
-<p style="margin-left: 20px">This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.</p>
-
-<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
-
-<p style="margin-left: 20px">This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. 
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.  
-</p>
-
-<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
-
-<p style="margin-left: 20px">This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.</p>
-
-<p style="margin-left: 20px">Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. </p>
-
-<p style="margin-left: 20px">Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. </p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-</p>
-
-<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
-
-<p style="margin-left: 20px">This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.  </p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-</p>
-
-<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
-
-<p style="margin-left: 20px">This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-              
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. </p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. </p>
-
-<p style="margin-left: 20px">Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.</p>
-
-<p style="margin-left: 20px"></p>
-
-<a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**
-
-<p style="margin-left: 20px">This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.</p>
-
-<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**
-
-<p style="margin-left: 20px">This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.</p>
-
-<p style="margin-left: 20px">If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.</p>
-
-<a href="" id="power-requirepasswordwhencomputerwakespluggedin"></a>**Power/RequirePasswordWhenComputerWakesPluggedIn**
-
-<p style="margin-left: 20px">This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.</p>
-
-<p style="margin-left: 20px">If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.</p>
-
-<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
-
-<p style="margin-left: 20px">This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.</p>
-
-<p style="margin-left: 20px">          If you enable this policy setting:
-          -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-          -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.</p>
-
-<p style="margin-left: 20px">          If you do not configure this policy setting:
-          -Windows Vista client computers can point and print to any server.
-          -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-          -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-          -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.</p>
-
-<p style="margin-left: 20px">          If you disable this policy setting:
-          -Windows Vista client computers can create a printer connection to any server using Point and Print.
-          -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-          -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-          -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-          -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).</p>
-
-<a href="" id="printers-pointandprintrestrictions_user"></a>**Printers/PointAndPrintRestrictions_User**
-
-<p style="margin-left: 20px">This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.</p>
-
-<p style="margin-left: 20px">          If you enable this policy setting:
-          -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-          -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.</p>
-
-<p style="margin-left: 20px">          If you do not configure this policy setting:
-          -Windows Vista client computers can point and print to any server.
-          -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-          -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-          -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.</p>
-
-<p style="margin-left: 20px">          If you disable this policy setting:
-          -Windows Vista client computers can create a printer connection to any server using Point and Print.
-          -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-          -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-          -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-          -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).</p>
-
-<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**
-
-<p style="margin-left: 20px">Determines whether the computer's shared printers can be published in Active Directory.</p>
-
-<p style="margin-left: 20px">            If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.</p>
-
-<p style="margin-left: 20px">            If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.</p>
-
-<p style="margin-left: 20px">            Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".</p>
-
-<a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**
-
-<p style="margin-left: 20px">This policy setting lets you customize warning messages.</p>
-
-<p style="margin-left: 20px">The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.</p>
-
-<p style="margin-left: 20px">The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the user sees the default warning message.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, the user sees the default warning message.</p>
-
-<a href="" id="remoteassistance-sessionlogging"></a>**RemoteAssistance/SessionLogging**
-
-<p style="margin-left: 20px">This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, log files are generated.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, log files are not generated.</p>
-
-<p style="margin-left: 20px">If you do not configure this setting, application-based settings are used.</p>
-
-<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**
-
-<p style="margin-left: 20px">This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."</p>
-
-<p style="margin-left: 20px">The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.</p>
-
-<p style="margin-left: 20px">The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.</p>
-
-<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**
-
-<p style="margin-left: 20px">This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.</p>
-
-<p style="margin-left: 20px">To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:</p>
-
-<p style="margin-left: 20px"><Domain Name>\<User Name> or</p>
-
-<p style="margin-left: 20px"><Domain Name>\<Group Name></p>
-
-<p style="margin-left: 20px">If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.</p>
-
-<p style="margin-left: 20px">Windows Vista and later</p>
-
-<p style="margin-left: 20px">Enable the Remote Assistance exception for the domain profile. The exception must contain:
-Port 135:TCP
-%WINDIR%\System32\msra.exe
-%WINDIR%\System32\raserver.exe</p>
-
-<p style="margin-left: 20px">Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)</p>
-
-<p style="margin-left: 20px">Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-%WINDIR%\System32\Sessmgr.exe</p>
-
-<p style="margin-left: 20px">For computers running Windows Server 2003 with Service Pack 1 (SP1)</p>
-
-<p style="margin-left: 20px">Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-Allow Remote Desktop Exception</p>
-
-<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**
-
-<p style="margin-left: 20px">This policy setting allows you to configure remote access to computers by using Remote Desktop Services.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. </p>
-
-<p style="margin-left: 20px">Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. </p>
-
-<p style="margin-left: 20px">You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-</p>
-
-<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**
-
-<p style="margin-left: 20px">Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:</p>
-
-<p style="margin-left: 20px">* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.</p>
-
-<p style="margin-left: 20px">* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.</p>
-
-<p style="margin-left: 20px">* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.</p>
-
-<p style="margin-left: 20px">Important</p>
-
-<p style="margin-left: 20px">FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-</p>
-
-<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**
-
-<p style="margin-left: 20px">This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).</p>
-
-<p style="margin-left: 20px">By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-</p>
-
-<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**
-
-<p style="margin-left: 20px">Controls whether passwords can be saved on this computer from Remote Desktop Connection.</p>
-
-<p style="margin-left: 20px">If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.</p>
-
-<p style="margin-left: 20px">If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.</p>
-
-<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**
-
-<p style="margin-left: 20px">This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.</p>
-
-<p style="margin-left: 20px">You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.</p>
-
-<p style="margin-left: 20px">By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-</p>
-
-<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**
-
-<p style="margin-left: 20px">Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.</p>
-
-<p style="margin-left: 20px">You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.</p>
-
-<p style="margin-left: 20px">If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.</p>
-
-<p style="margin-left: 20px">If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.</p>
-
-<p style="margin-left: 20px">If the status is set to Not Configured, unsecured communication is allowed.</p>
-
-<p style="margin-left: 20px">Note: The RPC interface is used for administering and configuring Remote Desktop Services.</p>
-
-<a href="" id="remoteprocedurecall-rpcendpointmapperclientauthentication"></a>**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
-
-<p style="margin-left: 20px">This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information.   The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. </p>
-
-<p style="margin-left: 20px">If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information.  Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.</p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, it remains disabled.  RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.</p>
-
-<p style="margin-left: 20px">Note: This policy will not be applied until the system is rebooted.</p>
-
-<a href="" id="remoteprocedurecall-restrictunauthenticatedrpcclients"></a>**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
-
-<p style="margin-left: 20px">This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.</p>
-
-<p style="margin-left: 20px">This policy setting impacts all RPC applications.  In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself.  Reverting a change to this policy setting can require manual intervention on each affected machine.  This policy setting should never be applied to a domain controller.</p>
-
-<p style="margin-left: 20px">If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. </p>
-
-<p style="margin-left: 20px">If you do not configure this policy setting, it remains disabled.  The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. </p>
-
-<p style="margin-left: 20px">If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.</p>
-
-<p style="margin-left: 20px">--  "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.</p>
-
-<p style="margin-left: 20px">--  "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.</p>
-
-<p style="margin-left: 20px">--  "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied.  No exceptions are allowed.</p>
-
-<p style="margin-left: 20px">Note: This policy setting will not be applied until the system is rebooted.</p>
-
-<a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**
-
-<p style="margin-left: 20px">This policy setting configures whether or not Windows will activate an Enhanced Storage device.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.</p>
-
-<a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**
-
-<p style="margin-left: 20px">N/A</p>
-
-<a href="" id="system-disablesystemrestore"></a>**System/DisableSystemRestore**
-
-<p style="margin-left: 20px">Allows you to disable System Restore.</p>
-
-<p style="margin-left: 20px">This policy setting allows you to turn off System Restore.</p>
-
-<p style="margin-left: 20px">System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.</p>
-
-<p style="margin-left: 20px">Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.</p>
-
-<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**
-
-<p style="margin-left: 20px">This policy setting allows you to prevent app notifications from appearing on the lock screen.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, no app notifications are displayed on the lock screen.</p>
-
-<p style="margin-left: 20px">If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.</p>
-
-<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**
-
-<p style="margin-left: 20px">This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.</p>
-
-<p style="margin-left: 20px">If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.</p>
-
-<p style="margin-left: 20px">If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.</p>
-
-
-
-<!-- ADMX-DESCRIPTIONS-END -->
-
-
-
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6a2a63b9e5..ff951b9536 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -118,6 +118,29 @@ The following diagram shows the Policy configuration service provider in tree fo
 <!--StartPolicy-->
 <a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -131,26 +154,34 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
 
@@ -159,26 +190,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow toast notifications above the device lock screen.
 
@@ -189,26 +228,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether user is allowed to add non-MSA email accounts.
 
@@ -222,26 +269,34 @@ SKU Support:
 > [!NOTE]
 > This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
 
@@ -252,26 +307,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
 
@@ -280,27 +343,34 @@ SKU Support:
 -   0 – Disabled.
 -   1 (default) – Manual start.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies a list of the domains that are allowed to sync email on the device.
 
@@ -308,22 +378,7 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**  
@@ -337,9 +392,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt
 
 Note: Wild card characters cannot be used when specifying the host URLs.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -356,8 +408,6 @@ ADMX Info:
 <!--StartDescription-->
 This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -374,8 +424,6 @@ ADMX Info:
 <!--StartDescription-->
 Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -392,8 +440,6 @@ ADMX Info:
 <!--StartDescription-->
 Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -410,8 +456,6 @@ ADMX Info:
 <!--StartDescription-->
 Enables scripts defined in the package manifest of configuration files that should run.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -428,8 +472,6 @@ ADMX Info:
 <!--StartDescription-->
 Enables a UX to display to the user when a publishing refresh is performed on the client.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -456,9 +498,6 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the
 
 Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The  default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -475,8 +514,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -493,8 +530,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -511,8 +546,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies how new packages should be loaded automatically by App-V on a specific computer.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -529,8 +562,6 @@ ADMX Info:
 <!--StartDescription-->
 Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -547,8 +578,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -565,8 +594,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -601,9 +628,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -638,9 +662,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -675,9 +696,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -712,9 +730,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -749,9 +764,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin
 
 User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -768,8 +780,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the path to a valid certificate in the certificate store.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -786,8 +796,6 @@ ADMX Info:
 <!--StartDescription-->
 This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -804,8 +812,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -822,8 +828,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies directory where all new applications and updates will be installed.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -840,8 +844,6 @@ ADMX Info:
 <!--StartDescription-->
 Overrides source location for downloading package content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -858,8 +860,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the number of seconds between attempts to reestablish a dropped session.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -876,8 +876,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies the number of times to retry a dropped session.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -894,8 +892,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies that streamed package contents will be not be saved to the local hard disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -912,8 +908,6 @@ ADMX Info:
 <!--StartDescription-->
 If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -930,8 +924,6 @@ ADMX Info:
 <!--StartDescription-->
 Verifies Server certificate revocation status before streaming using HTTPS.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -948,8 +940,6 @@ ADMX Info:
 <!--StartDescription-->
 Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -963,6 +953,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="applicationdefaults-defaultassociationsconfiguration"></a>**ApplicationDefaults/DefaultAssociationsConfiguration**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be  base64 encoded before being added to SyncML.
  
@@ -1020,27 +1033,34 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
 </SyncML>
 ```
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowalltrustedapps"></a>**ApplicationManagement/AllowAllTrustedApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether non Windows Store apps are allowed.
 
@@ -1052,26 +1072,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowappstoreautoupdate"></a>**ApplicationManagement/AllowAppStoreAutoUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether automatic update of apps from Windows Store are allowed.
 
@@ -1082,26 +1110,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether developer unlock is allowed.
 
@@ -1113,26 +1149,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowgamedvr"></a>**ApplicationManagement/AllowGameDVR**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -1146,26 +1190,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowshareduserappdata"></a>**ApplicationManagement/AllowSharedUserAppData**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether multiple users of the same app can share data.
 
@@ -1176,26 +1228,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether app store is allowed at the device.
 
@@ -1206,26 +1266,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -1251,26 +1319,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
 
@@ -1279,26 +1355,34 @@ SKU Support:
 -   0 (default) – Enable launch of apps.
 -   1 – Disable launch of apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
 
@@ -1318,26 +1402,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-restrictappdatatosystemvolume"></a>**ApplicationManagement/RestrictAppDataToSystemVolume**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether application data is restricted to the system drive.
 
@@ -1348,26 +1440,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="applicationmanagement-restrictapptosystemvolume"></a>**ApplicationManagement/RestrictAppToSystemVolume**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether the installation of applications is restricted to the system drive.
 
@@ -1378,22 +1478,7 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**  
@@ -1407,8 +1492,6 @@ If you disable this policy setting, Windows marks file attachments with their zo
 
 If you do not configure this policy setting, Windows marks file attachments with their zone information.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1431,8 +1514,6 @@ If you disable this policy setting, Windows shows the check box and Unblock butt
 
 If you do not configure this policy setting, Windows hides the check box and Unblock button.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1455,8 +1536,6 @@ If you disable this policy setting, Windows does not call the registered antivir
 
 If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1470,6 +1549,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1489,26 +1591,34 @@ ADMX Info:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="authentication-allowfastreconnect"></a>**Authentication/AllowFastReconnect**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
 
@@ -1519,26 +1629,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="authentication-allowsecondaryauthenticationdevice"></a>**Authentication/AllowSecondaryAuthenticationDevice**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
 
@@ -1549,22 +1667,7 @@ SKU Support:
 
 <p style="margin-left: 20px">The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**  
@@ -1576,8 +1679,6 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like
 
 If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1607,8 +1708,6 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto
 
 If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1639,8 +1738,6 @@ If you disable or do not configure this policy setting, AutoPlay is enabled.
 
 Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -1654,6 +1751,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="bitlocker-encryptionmethod"></a>**Bitlocker/EncryptionMethod**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.
 
@@ -1664,26 +1784,34 @@ ADMX Info:
 -   6 -XTS 128
 -   7 - XTS 256
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="bluetooth-allowadvertising"></a>**Bluetooth/AllowAdvertising**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether the device can send out Bluetooth advertisements.
 
@@ -1696,26 +1824,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="bluetooth-allowdiscoverablemode"></a>**Bluetooth/AllowDiscoverableMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether other Bluetooth-enabled devices can discover the device.
 
@@ -1728,26 +1864,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="bluetooth-allowprepairing"></a>**Bluetooth/AllowPrepairing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
 
@@ -1756,26 +1900,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default)– Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Sets the local Bluetooth device name.
 
@@ -1783,51 +1935,67 @@ SKU Support:
 
 <p style="margin-left: 20px">If this policy is not set or it is deleted, the default local radio name is used.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="bluetooth-servicesallowedlist"></a>**Bluetooth/ServicesAllowedList**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
 
 <p style="margin-left: 20px">The default value is an empty string.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowaddressbardropdown"></a>**Browser/AllowAddressBarDropdown**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
 
@@ -1841,14 +2009,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowautofill"></a>**Browser/AllowAutofill**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether autofill on websites is allowed.
 
@@ -1866,26 +2054,34 @@ SKU Support:
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Save form entries** is greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowbrowser"></a>**Browser/AllowBrowser**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -1902,26 +2098,34 @@ SKU Support:
 
 <p style="margin-left: 20px">When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowcookies"></a>**Browser/AllowCookies**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether cookies are allowed.
 
@@ -1939,25 +2143,34 @@ SKU Support:
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Cookies** is greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowdevelopertools"></a>**Browser/AllowDeveloperTools**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1972,26 +2185,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowdonottrack"></a>**Browser/AllowDoNotTrack**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether Do Not Track headers are allowed.
 
@@ -2009,26 +2230,34 @@ SKU Support:
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Send Do Not Track requests** is greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowextensions"></a>**Browser/AllowExtensions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
 
@@ -2037,26 +2266,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowflash"></a>**Browser/AllowFlash**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
 
@@ -2065,26 +2302,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowflashclicktorun"></a>**Browser/AllowFlashClickToRun**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
 
@@ -2093,26 +2338,34 @@ SKU Support:
 -   0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
 -   1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowinprivate"></a>**Browser/AllowInPrivate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether InPrivate browsing is allowed on corporate networks.
 
@@ -2123,26 +2376,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowmicrosoftcompatibilitylist"></a>**Browser/AllowMicrosoftCompatibilityList**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. 
 By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". 
@@ -2156,14 +2417,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowpasswordmanager"></a>**Browser/AllowPasswordManager**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether saving and managing passwords locally on the device is allowed.
 
@@ -2181,26 +2462,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowpopups"></a>**Browser/AllowPopups**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether pop-up blocker is allowed or enabled.
 
@@ -2218,26 +2507,34 @@ SKU Support:
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Block pop-ups** is greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowsearchenginecustomization"></a>**Browser/AllowSearchEngineCustomization**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. 
   
@@ -2250,14 +2547,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowsearchsuggestionsinaddressbar"></a>**Browser/AllowSearchSuggestionsinAddressBar**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether search suggestions are allowed in the address bar.
 
@@ -2268,26 +2585,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-allowsmartscreen"></a>**Browser/AllowSmartScreen**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether Windows Defender SmartScreen is allowed.
 
@@ -2305,26 +2630,34 @@ SKU Support:
 3.  Click **Settings** in the drop down list, and select **View Advanced Settings**.
 4.  Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-clearbrowsingdataonexit"></a>**Browser/ClearBrowsingDataOnExit**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
 
@@ -2341,14 +2674,34 @@ SKU Support:
 2.  Close the Microsoft Edge window.
 3.  Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-configureadditionalsearchengines"></a>**Browser/ConfigureAdditionalSearchEngines**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. 
  
@@ -2367,14 +2720,34 @@ Employees cannot remove these search engines, but they can set any one as the de
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-disablelockdownofstartpages"></a>**Browser/DisableLockdownOfStartPages**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. 
   
@@ -2391,14 +2764,34 @@ Employees cannot remove these search engines, but they can set any one as the de
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-enterprisemodesitelist"></a>**Browser/EnterpriseModeSiteList**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2411,50 +2804,66 @@ Employees cannot remove these search engines, but they can set any one as the de
 -   Not configured. The device checks for updates from Microsoft Update.
 -   Set to a URL location of the enterprise site list.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-enterprisesitelistserviceurl"></a>**Browser/EnterpriseSiteListServiceUrl**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!IMPORTANT]
 > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-firstrunurl"></a>**Browser/FirstRunURL**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -2466,26 +2875,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-homepages"></a>**Browser/HomePages**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2499,27 +2916,34 @@ SKU Support:
 > [!NOTE]
 > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventaccesstoaboutflagsinmicrosoftedge"></a>**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
 
@@ -2528,26 +2952,34 @@ SKU Support:
 -   0 (default) – Users can access the about:flags page in Microsoft Edge.
 -   1 – Users can't access the about:flags page in Microsoft Edge.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventfirstrunpage"></a>**Browser/PreventFirstRunPage**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
 
@@ -2558,14 +2990,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventlivetiledatacollection"></a>**Browser/PreventLiveTileDataCollection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
 
@@ -2576,14 +3028,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventsmartscreenpromptoverride"></a>**Browser/PreventSmartScreenPromptOverride**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
 
@@ -2594,26 +3066,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventsmartscreenpromptoverrideforfiles"></a>**Browser/PreventSmartScreenPromptOverrideForFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
 
@@ -2622,26 +3102,34 @@ SKU Support:
 -   0 (default) – Off.
 -   1 – On.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-preventusinglocalhostipaddressforwebrtc"></a>**Browser/PreventUsingLocalHostIPAddressForWebRTC**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2654,26 +3142,34 @@ SKU Support:
 -   0 (default) – The localhost IP address is shown.
 -   1 – The localhost IP address is hidden.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2688,26 +3184,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-setdefaultsearchengine"></a>**Browser/SetDefaultSearchEngine**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
 
@@ -2725,14 +3229,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-showmessagewhenopeningsitesininternetexplorer"></a>**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2747,26 +3271,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
 
@@ -2788,27 +3320,34 @@ SKU Support:
 <li>Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
 </ol>
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Disables or enables the camera.
 
@@ -2819,26 +3358,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the user to enable Bluetooth or restrict access.
 
@@ -2856,26 +3403,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowcellulardata"></a>**Connectivity/AllowCellularData**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
 
@@ -2885,26 +3440,34 @@ SKU Support:
 -   1 (default) – Allow the cellular data channel. The user can turn it off.
 -   2 - Allow the cellular data channel. The user cannot turn it off.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
 
@@ -2924,26 +3487,34 @@ SKU Support:
 2.  Click on the SIM (next to the signal strength icon) and select **Properties**.
 3.  On the Properties page, select **Data roaming options**.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowconnecteddevices"></a>**Connectivity/AllowConnectedDevices**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -2955,27 +3526,34 @@ SKU Support:
 -   1 (default) - Allow (CDP service available).
 -   0 - Disable (CDP service not available).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -2990,26 +3568,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -3026,26 +3612,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies what type of underlying connections VPN is allowed to use.
 
@@ -3056,26 +3650,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Prevents the device from connecting to VPN when the device roams over cellular networks.
 
@@ -3086,22 +3688,7 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**  
@@ -3111,9 +3698,6 @@ This policy setting configures secure access to UNC paths.
 
 If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3138,8 +3722,6 @@ Note: The user's domain password will be cached in the system vault when using t
 
 To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3162,8 +3744,6 @@ If you disable or don't configure this policy setting, a domain user can set up
 
 Note that the user's domain password will be cached in the system vault when using this feature.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3188,8 +3768,6 @@ By default, the password reveal button is displayed after a user types a passwor
 
 The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3210,8 +3788,6 @@ If you enable this policy setting, all local administrator accounts on the PC wi
 
 If you disable this policy setting, users will always be required to type a user name and password to elevate.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3225,6 +3801,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the Federal Information Processing Standard (FIPS) policy.
 
@@ -3233,49 +3832,65 @@ ADMX Info:
 -   0 (default) – Not allowed.
 -   1– Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
 
@@ -3286,26 +3901,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!IMPORTANT]
 > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
@@ -3316,23 +3939,7 @@ SKU Support:
 > [!NOTE]
 > This policy is not recommended for use in Windows 10.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**  
@@ -3350,9 +3957,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
 
 If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3379,9 +3983,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost
 
 If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -3395,6 +3996,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="defender-allowarchivescanning"></a>**Defender/AllowArchiveScanning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3407,26 +4031,34 @@ ADMX Info:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowbehaviormonitoring"></a>**Defender/AllowBehaviorMonitoring**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3439,26 +4071,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowcloudprotection"></a>**Defender/AllowCloudProtection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3471,26 +4111,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowemailscanning"></a>**Defender/AllowEmailScanning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3503,26 +4151,34 @@ SKU Support:
 -   0 (default) – Not allowed.
 -   1 – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowfullscanonmappednetworkdrives"></a>**Defender/AllowFullScanOnMappedNetworkDrives**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3535,26 +4191,34 @@ SKU Support:
 -   0 (default) – Not allowed.
 -   1 – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowfullscanremovabledrivescanning"></a>**Defender/AllowFullScanRemovableDriveScanning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3567,26 +4231,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowioavprotection"></a>**Defender/AllowIOAVProtection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3599,26 +4271,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowintrusionpreventionsystem"></a>**Defender/AllowIntrusionPreventionSystem**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3631,26 +4311,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3663,26 +4351,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowrealtimemonitoring"></a>**Defender/AllowRealtimeMonitoring**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3695,26 +4391,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowscanningnetworkfiles"></a>**Defender/AllowScanningNetworkFiles**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3727,26 +4431,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowscriptscanning"></a>**Defender/AllowScriptScanning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3759,26 +4471,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-allowuseruiaccess"></a>**Defender/AllowUserUIAccess**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3791,26 +4511,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-avgcpuloadfactor"></a>**Defender/AvgCPULoadFactor**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3822,26 +4550,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 50.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-daystoretaincleanedmalware"></a>**Defender/DaysToRetainCleanedMalware**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3853,26 +4589,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 0, which keeps items in quarantine, and does not automatically remove them.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-excludedextensions"></a>**Defender/ExcludedExtensions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3880,26 +4624,34 @@ SKU Support:
  
 <p style="margin-left: 20px">llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-excludedpaths"></a>**Defender/ExcludedPaths**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3907,26 +4659,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-excludedprocesses"></a>**Defender/ExcludedProcesses**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3940,26 +4700,34 @@ SKU Support:
  
 <p style="margin-left: 20px">Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-puaprotection"></a>**Defender/PUAProtection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -3973,26 +4741,34 @@ SKU Support:
 -   1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
 -   2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-realtimescandirection"></a>**Defender/RealTimeScanDirection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4010,26 +4786,34 @@ SKU Support:
 -   1 – Monitor incoming files.
 -   2 – Monitor outgoing files.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-scanparameter"></a>**Defender/ScanParameter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4042,26 +4826,34 @@ SKU Support:
 -   1 (default) – Quick scan
 -   2 – Full scan
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-schedulequickscantime"></a>**Defender/ScheduleQuickScanTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4079,26 +4871,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 120
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-schedulescanday"></a>**Defender/ScheduleScanDay**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4122,26 +4922,34 @@ SKU Support:
 -   7 – Sunday
 -   8 – No scheduled scan
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-schedulescantime"></a>**Defender/ScheduleScanTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4159,26 +4967,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 120.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4192,26 +5008,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 8.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-submitsamplesconsent"></a>**Defender/SubmitSamplesConsent**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4226,26 +5050,34 @@ SKU Support:
 -   2 – Never send.
 -   3 – Send all samples automatically.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="defender-threatseveritydefaultaction"></a>**Defender/ThreatSeverityDefaultAction**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop.
@@ -4271,26 +5103,34 @@ SKU Support:
 -   8 – User defined
 -   10 – Block
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-doabsolutemaxcachesize"></a>**DeliveryOptimization/DOAbsoluteMaxCacheSize**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4300,26 +5140,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 10.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-doallowvpnpeercaching"></a>**DeliveryOptimization/DOAllowVPNPeerCaching**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4329,27 +5177,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 0 (FALSE).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4366,26 +5221,34 @@ SKU Support:
 -   99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
 -   100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dogroupid"></a>**DeliveryOptimization/DOGroupId**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4396,27 +5259,34 @@ SKU Support:
 > [!NOTE]
 > You must use a GUID as the group ID.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4426,26 +5296,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 259200 seconds (3 days).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domaxcachesize"></a>**DeliveryOptimization/DOMaxCacheSize**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4455,26 +5333,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 20.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4484,26 +5370,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4513,26 +5407,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4542,26 +5444,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 500.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dominbatterypercentageallowedtoupload"></a>**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4570,27 +5480,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domindisksizeallowedtopeer"></a>**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4603,28 +5520,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 32 GB.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dominfilesizetocache"></a>**DeliveryOptimization/DOMinFileSizeToCache**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4634,28 +5557,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 100 MB.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dominramallowedtopeer"></a>**DeliveryOptimization/DOMinRAMAllowedToPeer**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4665,27 +5594,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 4 GB.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domodifycachedrive"></a>**DeliveryOptimization/DOModifyCacheDrive**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4695,26 +5631,34 @@ SKU Support:
 
 <p style="margin-left: 20px">By default, %SystemDrive% is used to store the cache.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-domonthlyuploaddatacap"></a>**DeliveryOptimization/DOMonthlyUploadDataCap**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4726,26 +5670,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 20.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -4755,22 +5707,7 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**  
@@ -4782,8 +5719,6 @@ By default, a user can change the location of their individual profile folders l
 
 If you enable this setting, users are unable to type a new location in the Target box.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -4804,8 +5739,6 @@ If you enable this policy setting, Windows is prevented from installing a device
 
 If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -4826,8 +5759,6 @@ If you enable this policy setting, Windows is prevented from installing or updat
 
 If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -4841,6 +5772,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -4857,26 +5811,34 @@ ADMX Info:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -4896,27 +5858,34 @@ SKU Support:
 > [!IMPORTANT]
 > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
 
@@ -4931,26 +5900,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
 
@@ -4973,25 +5950,34 @@ SKU Support:
 
  
 
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether device lock is enabled.
 
@@ -5040,26 +6026,34 @@ SKU Support:
 >   - MaxDevicePasswordFailedAttempts
 >   - MaxInactivityTimeDeviceLock
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies when the password expires (in days).
 
@@ -5076,26 +6070,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies how many passwords can be stored in the history that can’t be used.
 
@@ -5114,26 +6116,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-enforcelockscreenandlogonimage"></a>**DeviceLock/EnforceLockScreenAndLogonImage**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
 
@@ -5143,26 +6153,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Value type is a string, which is the full image filepath and filename.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-enforcelockscreenprovider"></a>**DeviceLock/EnforceLockScreenProvider**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
 
@@ -5172,26 +6190,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Value type is a string, which is the AppID.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
 
@@ -5215,26 +6241,34 @@ The number of authentication failures allowed before the device will be wiped. A
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
 
@@ -5249,26 +6283,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay"></a>**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
 
@@ -5281,27 +6323,34 @@ SKU Support:
 -   An integer X where 0 &lt;= X &lt;= 999.
 -   0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Business: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
 
@@ -5376,26 +6425,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies the minimum number or characters required in the PIN or password.
 
@@ -5415,22 +6472,7 @@ SKU Support:
 
 <p style="margin-left: 20px">For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**  
@@ -5442,8 +6484,6 @@ By default, users can enable a slide show that will run after they lock the mach
 
 If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5457,6 +6497,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="devicelock-screentimeoutwhilelocked"></a>**DeviceLock/ScreenTimeoutWhileLocked**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -5471,25 +6534,34 @@ ADMX Info:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
 
@@ -5506,27 +6578,34 @@ SKU Support:
 1.   Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
 2.   Run the app and observe blurry text.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
 
@@ -5543,191 +6622,217 @@ SKU Support:
 1.   Configure the setting for an app which uses GDI.
 2.   Run the app and observe crisp text.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-cloudprintoauthauthority"></a>**EnterpriseCloudPrint/CloudPrintOAuthAuthority**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
 
 <p style="margin-left: 20px">The datatype is a string.
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//azuretenant.contoso.com/adfs".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-cloudprintoauthclientid"></a>**EnterpriseCloudPrint/CloudPrintOAuthClientId**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
 
 <p style="margin-left: 20px">The datatype is a string.
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-cloudprintresourceid"></a>**EnterpriseCloudPrint/CloudPrintResourceId**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
 
 <p style="margin-left: 20px">The datatype is a string. 
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MicrosoftEnterpriseCloudPrint/CloudPrint".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-cloudprinterdiscoveryendpoint"></a>**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
 
 <p style="margin-left: 20px">The datatype is a string.
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https:<span></span>//cloudprinterdiscovery.contoso.com".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-discoverymaxprinterlimit"></a>**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
 
 <p style="margin-left: 20px">The datatype is an integer. 
 
 <p style="margin-left: 20px">For Windows Mobile, the default value is 20.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="enterprisecloudprint-mopriadiscoveryresourceid"></a>**EnterpriseCloudPrint/MopriaDiscoveryResourceId**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
 
 <p style="margin-left: 20px">The datatype is a string.
 
 <p style="margin-left: 20px">The default value is an empty string. Otherwise, the value should contain a URL. For example, "http:<span></span>//MopriaDiscoveryService/CloudPrint".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**  
@@ -5749,8 +6854,6 @@ If you enable this policy setting, you can add specific event types to a list by
 
 If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5771,8 +6874,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro
 
 If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5797,8 +6898,6 @@ If you do not configure this policy setting, users can change this setting in Co
 
 See also the Configure Error Reporting policy setting.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5819,8 +6918,6 @@ If you enable this policy setting, any additional data requests from Microsoft i
 
 If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5841,8 +6938,6 @@ If you enable this policy setting, Windows Error Reporting does not display any
 
 If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5865,8 +6960,6 @@ If you disable or do not configure this policy setting and a log file reaches it
 
 Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5887,8 +6980,6 @@ If you enable this policy setting, you can configure the maximum log file size t
 
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5909,8 +7000,6 @@ If you enable this policy setting, you can configure the maximum log file size t
 
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5931,8 +7020,6 @@ If you enable this policy setting, you can configure the maximum log file size t
 
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -5946,6 +7033,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -5959,26 +7069,34 @@ ADMX Info:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
 
@@ -5997,26 +7115,34 @@ SKU Support:
 
 <p style="margin-left: 20px">An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows users to turn on/off device discovery UX.
 
@@ -6029,41 +7155,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
-<!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
-<!--EndPolicy-->
-<!--StartPolicy-->
-<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**  
-
-<!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy turns on Find My Device feature.  
-        
-<p style="margin-left: 20px">When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com.  
-
-<p style="margin-left: 20px">When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work.  
-
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow the user to delete the workplace account using the workplace control panel.
 
@@ -6078,26 +7197,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -6110,26 +7237,34 @@ SKU Support:
 -   0 – SIM card dialog prompt is not displayed.
 -   1 (default) – SIM card dialog prompt is displayed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -6144,26 +7279,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
 
@@ -6172,26 +7315,34 @@ SKU Support:
 -   0 – Sync settings is not allowed.
 -   1 (default) – Sync settings allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -6209,14 +7360,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -6229,26 +7400,34 @@ SKU Support:
 -   0 – Task switching not allowed.
 -   1 (default) – Task switching allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@@ -6261,26 +7440,34 @@ SKU Support:
 -   0 – Third-party suggestions not allowed.
 -   1 (default) – Third-party suggestions allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -6295,26 +7482,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -6336,26 +7531,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -6370,26 +7573,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -6403,14 +7614,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -6425,14 +7656,34 @@ The Windows welcome experience feature introduces onboard users to Windows; for
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 Enables or disables Windows Tips / soft landing.
 
@@ -6441,26 +7692,34 @@ Enables or disables Windows Tips / soft landing.
 -   0 – Disabled.
 -   1 (default) – Enabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -6474,26 +7733,34 @@ SKU Support:
 -   1 (default) – Windows spotlight enabled.
 -   2 – placeholder only for future extension. Using this value has no effect.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Prevents devices from showing feedback questions from Microsoft.
 
@@ -6506,22 +7773,7 @@ SKU Support:
 -   0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
 -   1 – Feedback notifications are disabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**  
@@ -6529,9 +7781,6 @@ SKU Support:
 <!--StartDescription-->
 <p style="margin-left: 20px">Placeholder only. Currently not supported.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
@@ -6544,8 +7793,6 @@ If you enable this policy setting, the user can add and remove search providers,
 
 If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6566,8 +7813,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t
 
 If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6594,8 +7839,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a
 
 If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6618,8 +7861,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off.
 
 If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6640,8 +7881,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr
 
 If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6662,8 +7901,6 @@ If you enable this policy setting, Internet Explorer downloads the website list
 
 If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6684,8 +7921,6 @@ If you enable this policy setting, the user can add and remove sites from the li
 
 If you disable or do not configure this policy setting, the user can add and remove sites from the list.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6707,8 +7942,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer
 
 If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6735,8 +7968,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6763,8 +7994,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6791,8 +8020,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6819,8 +8046,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6847,8 +8072,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6875,8 +8098,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6903,8 +8124,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6925,8 +8144,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane
 
 If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6953,8 +8170,6 @@ Value - A number indicating the zone with which this site should be associated f
 
 If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -6977,8 +8192,6 @@ If you disable this policy setting, the entry points and functionality associate
 
 If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7005,8 +8218,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7033,8 +8244,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7060,8 +8269,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate
 
 Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7084,8 +8291,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for
 
 Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7106,8 +8311,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
 
 If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7128,8 +8331,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user.
 
 If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7152,8 +8353,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t
 
 If you do not configure this policy setting, the user can choose to participate in the CEIP.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7174,8 +8373,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d
 
 If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7198,8 +8395,6 @@ If you disable or do not configure this policy setting, the user can select whic
 
 Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7224,8 +8419,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail
 
 If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7250,8 +8443,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on
 
 If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7272,8 +8463,6 @@ If you enable this policy setting, a user cannot set a custom default home page.
 
 If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7294,8 +8483,6 @@ If you enable this policy setting, the user will not be able to configure proxy
 
 If you disable or do not configure this policy setting, the user can configure proxy settings.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7316,8 +8503,6 @@ If you enable this policy setting, the user cannot change the default search pro
 
 If you disable or do not configure this policy setting, the user can change the default search provider.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7340,8 +8525,6 @@ If you disable or do not configure this policy setting, the user can add seconda
 
 Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7364,8 +8547,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever
 
 This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7392,8 +8573,6 @@ Note:  The "Disable the Security page" policy (located in \User Configuration\Ad
 
 Also, see the "Security zones: Use only machine settings" policy.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7420,8 +8599,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm
 
 Also, see the "Security zones: Use only machine settings" policy.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7444,8 +8621,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu
 
 For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7472,8 +8647,6 @@ If you disable or don't configure this policy setting, the list is deleted and I
 
 For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7496,8 +8669,6 @@ If you disable this policy setting, local sites which are not explicitly mapped
 
 If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7520,8 +8691,6 @@ If you disable this policy setting, network paths are not necessarily mapped int
 
 If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7544,8 +8713,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7568,8 +8735,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7590,8 +8755,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7614,8 +8777,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7638,8 +8799,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7662,8 +8821,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7686,8 +8843,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7712,8 +8867,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7736,8 +8889,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7762,8 +8913,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7786,8 +8935,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7810,8 +8957,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7834,8 +8979,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7856,8 +8999,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7880,8 +9021,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7904,8 +9043,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7928,8 +9065,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7952,8 +9087,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -7978,8 +9111,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8002,8 +9133,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8028,8 +9157,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8052,8 +9179,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8076,8 +9201,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8100,8 +9223,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8122,8 +9243,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8146,8 +9265,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8170,8 +9287,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8194,8 +9309,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8218,8 +9331,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8244,8 +9355,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8268,8 +9377,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8294,8 +9401,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8318,8 +9423,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8342,8 +9445,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8366,8 +9467,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8388,8 +9487,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8412,8 +9509,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8436,8 +9531,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8460,8 +9553,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8484,8 +9575,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8510,8 +9599,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8534,8 +9621,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8560,8 +9645,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8584,8 +9667,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8608,8 +9689,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8632,8 +9711,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8654,8 +9731,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8678,8 +9753,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8702,8 +9775,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8726,8 +9797,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8750,8 +9819,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8776,8 +9843,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8800,8 +9865,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8826,8 +9889,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8850,8 +9911,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8874,8 +9933,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8898,8 +9955,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8920,8 +9975,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8944,8 +9997,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8968,8 +10019,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -8992,8 +10041,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9016,8 +10063,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9042,8 +10087,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9066,8 +10109,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9092,8 +10133,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9116,8 +10155,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9140,8 +10177,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9164,8 +10199,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9186,8 +10219,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9210,8 +10241,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9234,8 +10263,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9258,8 +10285,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9282,8 +10307,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9308,8 +10331,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9332,8 +10353,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9358,8 +10377,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9382,8 +10399,6 @@ If you disable this policy setting, users cannot open other windows and frames f
 
 If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9406,8 +10421,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9430,8 +10443,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9452,8 +10463,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9476,8 +10485,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9500,8 +10507,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9524,8 +10529,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9548,8 +10551,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9574,8 +10575,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9598,8 +10597,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9624,8 +10621,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9648,8 +10643,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9672,8 +10665,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9696,8 +10687,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9718,8 +10707,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9742,8 +10729,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9766,8 +10751,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9790,8 +10773,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9814,8 +10795,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9840,8 +10819,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9864,8 +10841,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9890,8 +10865,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9914,8 +10887,6 @@ If you disable this policy setting, users cannot open other windows and frames f
 
 If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9936,8 +10907,6 @@ If you enable this policy setting, the user cannot configure the list of search
 
 If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9960,8 +10929,6 @@ If you disable this policy setting, users cannot load a page in the zone that us
 
 If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -9984,8 +10951,6 @@ If you disable this policy setting, ActiveX control installations will be blocke
 
 If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10006,8 +10971,6 @@ If you enable this setting, users will receive a file download dialog for automa
 
 If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10030,8 +10993,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading.
 
 If you do not configure this policy setting, HTML fonts can be downloaded automatically.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10054,8 +11015,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent
 
 If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10078,8 +11037,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned
 
 If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10102,8 +11059,6 @@ If you disable this policy setting, the user cannot run scriptlets.
 
 If you do not configure this policy setting, the user can enable or disable scriptlets.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10128,8 +11083,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc
 
 Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10152,8 +11105,6 @@ If you disable this policy setting, users cannot preserve information in the bro
 
 If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10178,8 +11129,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar
 
 If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10202,8 +11151,6 @@ If you disable this policy setting, users cannot open windows and frames to acce
 
 If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10224,8 +11171,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t
 
 If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10244,9 +11189,6 @@ If you enable this policy setting, the client computers will request claims, pro
 
 If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10271,9 +11213,6 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au
 
 If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10294,9 +11233,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X
 
 If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10321,10 +11257,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s
 
 Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
 
-
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10338,6 +11270,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
 
@@ -10346,26 +11301,34 @@ ADMX Info:
 -   0 – Disable Windows license reactivation on managed devices.
 -   1 (default) – Enable Windows license reactivation on managed devices.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
 
@@ -10374,26 +11337,34 @@ SKU Support:
 -   0 (default) – Disabled.
 -   1 – Enabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="location-enablelocation"></a>**Location/EnableLocation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
 
@@ -10410,26 +11381,34 @@ SKU Support:
 1.   Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
 2.   Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
 
@@ -10440,26 +11419,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="maps-allowofflinemapsdownloadovermeteredconnection"></a>**Maps/AllowOfflineMapsDownloadOverMeteredConnection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
 
@@ -10471,26 +11458,34 @@ SKU Support:
 
 <p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="maps-enableofflinemapsautoupdate"></a>**Maps/EnableOfflineMapsAutoUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Disables the automatic download and update of map data.
 
@@ -10502,26 +11497,34 @@ SKU Support:
 
 <p style="margin-left: 20px">After the policy is applied, you can verify the settings in the user interface in **System** &gt; **Offline Maps**.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -10533,14 +11536,34 @@ SKU Support:
 -   0 - Disabled.
 -   1 (default) - Enabled.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="messaging-allowmessagesync"></a>**Messaging/AllowMessageSync**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
 
@@ -10549,26 +11572,34 @@ SKU Support:
 -   0 - message sync is not allowed and cannot be changed by the user.
 -   1 - message sync is allowed. The user can change this setting.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -10580,37 +11611,65 @@ SKU Support:
 -   0 - Disabled.
 -   1 (default) - Enabled.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
 
@@ -10623,72 +11682,96 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        
 ```
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
 
@@ -10702,98 +11785,137 @@ SKU Support:
 2.  Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
 3.  Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">List of domain names that can used for work or personal resource.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="notifications-disallownotificationmirroring"></a>**Notifications/DisallowNotificationMirroring**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
 
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> -   **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
+> -   **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
+
+
 <p style="margin-left: 20px">For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
 
 <p style="margin-left: 20px">No reboot or service restart is required for this policy to take effect.
@@ -10803,22 +11925,7 @@ SKU Support:
 -   0 (default)– enable notification mirroring.
 -   1 – disable notification mirroring.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**  
@@ -10830,8 +11937,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat
 
 If you disable this policy setting, standby states (S1-S3) are not allowed.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10852,8 +11957,6 @@ If you enable or do not configure this policy setting, the user is prompted for
 
 If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10874,8 +11977,6 @@ If you enable or do not configure this policy setting, the user is prompted for
 
 If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10909,8 +12010,6 @@ If you disable this policy setting:
 -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
 -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10944,8 +12043,6 @@ If you disable this policy setting:
 -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
 -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10967,8 +12064,6 @@ If you disable this setting, this computer's shared printers cannot be published
 
 Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -10982,6 +12077,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="privacy-allowautoacceptpairingandprivacyconsentprompts"></a>**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 
@@ -10992,26 +12110,34 @@ ADMX Info:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-allowinputpersonalization"></a>**Privacy/AllowInputPersonalization**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
 
@@ -11023,25 +12149,34 @@ SKU Support:
 <p style="margin-left: 20px">Most restricted value is 0.
  
 
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-disableadvertisingid"></a>**Privacy/DisableAdvertisingId**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or disables the Advertising ID.
 
@@ -11053,26 +12188,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessaccountinfo"></a>**Privacy/LetAppsAccessAccountInfo**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
 
@@ -11084,95 +12227,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessaccountinfo-forceallowtheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessaccountinfo-forcedenytheseapps"></a>**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessaccountinfo-userincontroloftheseapps"></a>**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscalendar"></a>**Privacy/LetAppsAccessCalendar**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
 
@@ -11184,95 +12359,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscalendar-forceallowtheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscalendar-forcedenytheseapps"></a>**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscalendar-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscallhistory"></a>**Privacy/LetAppsAccessCallHistory**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
 
@@ -11284,95 +12491,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscallhistory-forceallowtheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscallhistory-forcedenytheseapps"></a>**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscallhistory-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscamera"></a>**Privacy/LetAppsAccessCamera**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
 
@@ -11384,95 +12623,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscamera-forceallowtheseapps"></a>**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscamera-forcedenytheseapps"></a>**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscamera-userincontroloftheseapps"></a>**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscontacts"></a>**Privacy/LetAppsAccessContacts**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
 
@@ -11484,95 +12755,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscontacts-forceallowtheseapps"></a>**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscontacts-forcedenytheseapps"></a>**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesscontacts-userincontroloftheseapps"></a>**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessemail"></a>**Privacy/LetAppsAccessEmail**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
 
@@ -11584,95 +12887,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessemail-forceallowtheseapps"></a>**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessemail-forcedenytheseapps"></a>**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessemail-userincontroloftheseapps"></a>**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesslocation"></a>**Privacy/LetAppsAccessLocation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
 
@@ -11684,95 +13019,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesslocation-forceallowtheseapps"></a>**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesslocation-forcedenytheseapps"></a>**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesslocation-userincontroloftheseapps"></a>**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmessaging"></a>**Privacy/LetAppsAccessMessaging**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
 
@@ -11784,95 +13151,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmessaging-forceallowtheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmessaging-forcedenytheseapps"></a>**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmessaging-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmicrophone"></a>**Privacy/LetAppsAccessMicrophone**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
 
@@ -11884,95 +13283,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmicrophone-forceallowtheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmicrophone-forcedenytheseapps"></a>**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmicrophone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmotion"></a>**Privacy/LetAppsAccessMotion**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
 
@@ -11984,95 +13415,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmotion-forceallowtheseapps"></a>**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmotion-forcedenytheseapps"></a>**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessmotion-userincontroloftheseapps"></a>**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessnotifications"></a>**Privacy/LetAppsAccessNotifications**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
 
@@ -12084,95 +13547,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessnotifications-forceallowtheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessnotifications-forcedenytheseapps"></a>**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessnotifications-userincontroloftheseapps"></a>**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessphone"></a>**Privacy/LetAppsAccessPhone**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
 
@@ -12184,95 +13679,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessphone-forceallowtheseapps"></a>**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessphone-forcedenytheseapps"></a>**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessphone-userincontroloftheseapps"></a>**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessradios"></a>**Privacy/LetAppsAccessRadios**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
 
@@ -12284,187 +13811,251 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessradios-forceallowtheseapps"></a>**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessradios-forcedenytheseapps"></a>**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccessradios-userincontroloftheseapps"></a>**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstasks"></a>**Privacy/LetAppsAccessTasks**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstasks-forceallowtheseapps"></a>**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstasks-forcedenytheseapps"></a>**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstasks-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstrusteddevices"></a>**Privacy/LetAppsAccessTrustedDevices**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
 
@@ -12476,95 +14067,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstrusteddevices-forceallowtheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstrusteddevices-forcedenytheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsaccesstrusteddevices-userincontroloftheseapps"></a>**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsgetdiagnosticinfo"></a>**Privacy/LetAppsGetDiagnosticInfo**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
 
@@ -12576,95 +14199,127 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsgetdiagnosticinfo-forceallowtheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsgetdiagnosticinfo-forcedenytheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsgetdiagnosticinfo-userincontroloftheseapps"></a>**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsruninbackground"></a>**Privacy/LetAppsRunInBackground**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
 
@@ -12678,95 +14333,127 @@ SKU Support:
 > [!WARNING]
 > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsruninbackground-forceallowtheseapps"></a>**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsruninbackground-forcedenytheseapps"></a>**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappsruninbackground-userincontroloftheseapps"></a>**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappssyncwithdevices"></a>**Privacy/LetAppsSyncWithDevices**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
 
@@ -12778,91 +14465,100 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 2.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappssyncwithdevices-forceallowtheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappssyncwithdevices-forcedenytheseapps"></a>**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="privacy-letappssyncwithdevices-userincontroloftheseapps"></a>**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**  
@@ -12880,8 +14576,6 @@ If you disable this policy setting, the user sees the default warning message.
 
 If you do not configure this policy setting, the user sees the default warning message.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -12904,8 +14598,6 @@ If you disable this policy setting, log files are not generated.
 
 If you do not configure this setting, application-based settings are used.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -12936,8 +14628,6 @@ The "Select the method for sending email invitations" setting specifies which em
 
 If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -12991,8 +14681,6 @@ Port 135:TCP
 %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
 Allow Remote Desktop Exception
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13018,9 +14706,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D
 
 You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13051,9 +14736,6 @@ Important
 
 FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13078,9 +14760,6 @@ If you disable this policy setting, client drive redirection is always allowed.
 
 If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13101,8 +14780,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec
 
 If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13129,9 +14806,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se
 
 If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
 
-
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13158,8 +14832,6 @@ If the status is set to Not Configured, unsecured communication is allowed.
 
 Note: The RPC interface is used for administering and configuring Remote Desktop Services.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13184,8 +14856,6 @@ If you do not configure this policy setting, it remains disabled.  RPC clients w
 
 Note: This policy will not be applied until the system is rebooted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13218,8 +14888,6 @@ If you enable this policy setting, it directs the RPC server runtime to restrict
 
 Note: This policy setting will not be applied until the system is rebooted.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -13233,6 +14901,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
 
@@ -13247,26 +14938,34 @@ ADMX Info:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether search can leverage location information.
 
@@ -13277,26 +14976,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-allowusingdiacritics"></a>**Search/AllowUsingDiacritics**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the use of diacritics.
 
@@ -13307,26 +15014,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-alwaysuseautolangdetection"></a>**Search/AlwaysUseAutoLangDetection**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to always use automatic language detection when indexing content and properties.
 
@@ -13337,26 +15052,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-disablebackoff"></a>**Search/DisableBackoff**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
 
@@ -13365,26 +15088,34 @@ SKU Support:
 -   0 (default) – Disable.
 -   1 – Enable.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-disableremovabledriveindexing"></a>**Search/DisableRemovableDriveIndexing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy setting configures whether or not locations on removable drives can be added to libraries.
 
@@ -13397,26 +15128,34 @@ SKU Support:
 -   0 (default) – Disable.
 -   1 – Enable.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-preventindexinglowdiskspacemb"></a>**Search/PreventIndexingLowDiskSpaceMB**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.
 
@@ -13429,26 +15168,34 @@ SKU Support:
 -   0 – Disable.
 -   1 (default) – Enable.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-preventremotequeries"></a>**Search/PreventRemoteQueries**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
 
@@ -13457,26 +15204,34 @@ SKU Support:
 -   0 – Disable.
 -   1 (default) – Enable.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -13491,26 +15246,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-allowaddprovisioningpackage"></a>**Security/AllowAddProvisioningPackage**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to install provisioning packages.
 
@@ -13519,26 +15282,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy has been deprecated in Windows 10, version 1607
@@ -13556,26 +15327,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -13590,26 +15369,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-allowremoveprovisioningpackage"></a>**Security/AllowRemoveProvisioningPackage**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to remove provisioning packages.
 
@@ -13618,26 +15405,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-antitheftmode"></a>**Security/AntiTheftMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -13650,26 +15445,34 @@ SKU Support:
 -   0 – Don't allow Anti Theft Mode.
 -   1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-preventautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -13684,26 +15487,34 @@ SKU Support:
 -   0 (default) – Encryption enabled.
 -   1 – Encryption disabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
@@ -13720,27 +15531,34 @@ SKU Support:
 > [!IMPORTANT]
 > If encryption has been enabled, it cannot be turned off by using this policy.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-requireprovisioningpackagesignature"></a>**Security/RequireProvisioningPackageSignature**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
 
@@ -13749,26 +15567,34 @@ SKU Support:
 -   0 (default) – Not required.
 -   1 – Required.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="security-requireretrievehealthcertificateonboot"></a>**Security/RequireRetrieveHealthCertificateOnBoot**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
 
@@ -13788,26 +15614,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 1.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowautoplay"></a>**Settings/AllowAutoPlay**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -13823,27 +15657,34 @@ SKU Support:
 > [!NOTE]
 > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowdatasense"></a>**Settings/AllowDataSense**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the user to change Data Sense settings.
 
@@ -13852,26 +15693,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowdatetime"></a>**Settings/AllowDateTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the user to change date and time settings.
 
@@ -13880,26 +15729,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows editing of the device name.
 
@@ -13908,26 +15765,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: No  
--   Education: No  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -13940,26 +15805,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowpowersleep"></a>**Settings/AllowPowerSleep**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -13972,26 +15845,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowregion"></a>**Settings/AllowRegion**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -14004,26 +15885,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowsigninoptions"></a>**Settings/AllowSignInOptions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -14036,26 +15925,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowvpn"></a>**Settings/AllowVPN**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows the user to change VPN settings.
 
@@ -14064,26 +15961,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowworkplace"></a>**Settings/AllowWorkplace**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -14096,26 +16001,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-allowyouraccount"></a>**Settings/AllowYourAccount**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows user to change account settings.
 
@@ -14124,26 +16037,34 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-configuretaskbarcalendar"></a>**Settings/ConfigureTaskbarCalendar**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout.  In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale.  Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
 
@@ -14154,27 +16075,34 @@ SKU Support:
 -   2  - Simplified Chinese (Lunar).
 -   3  - Traditional Chinese (Lunar).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="settings-pagevisibilitylist"></a>**Settings/PageVisibilityList**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703.  Allows IT Admins to either  prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified.  The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo".  Multiple page identifiers are separated by semicolons.
 
@@ -14208,27 +16136,34 @@ SKU Support:
 2.   Configure the policy with the following string: "hide:about".
 3.   Open System Settings again and verify that the About page is no longer accessible.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
 
@@ -14237,27 +16172,34 @@ SKU Support:
 -   0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
 -   1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
 
@@ -14266,27 +16208,34 @@ SKU Support:
 -   0 – Turns off SmartScreen in Windows.
 -   1 – Turns on SmartScreen in Windows.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
 
@@ -14295,27 +16244,34 @@ SKU Support:
 -   0 – Employees can ignore SmartScreen warnings and run malicious files.
 -   1 – Employees cannot ignore SmartScreen warnings and run malicious files.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="speech-allowspeechmodelupdate"></a>**Speech/AllowSpeechModelUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
 
@@ -14324,26 +16280,404 @@ SKU Support:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 
-
-
-
 <!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderdocuments"></a>**Start/AllowPinnedFolderDocuments**  
+
 <!--StartSKU-->
-SKU Support:  
--   Home: Yes  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
 
 <!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderdownloads"></a>**Start/AllowPinnedFolderDownloads**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderfileexplorer"></a>**Start/AllowPinnedFolderFileExplorer**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderhomegroup"></a>**Start/AllowPinnedFolderHomeGroup**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldermusic"></a>**Start/AllowPinnedFolderMusic**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldernetwork"></a>**Start/AllowPinnedFolderNetwork**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderpersonalfolder"></a>**Start/AllowPinnedFolderPersonalFolder**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfolderpictures"></a>**Start/AllowPinnedFolderPictures**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldersettings"></a>**Start/AllowPinnedFolderSettings**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="start-allowpinnedfoldervideos"></a>**Start/AllowPinnedFolderVideos**  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+<p style="margin-left: 20px">The following list shows the supported values:
+
+-   0 – The shortcut is hidden and disables the setting in the Settings app.
+-   1 – The shortcut is visible and disables the setting in the Settings app.
+-   65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+<!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-forcestartsize"></a>**Start/ForceStartSize**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -14359,26 +16693,34 @@ SKU Support:
 
 <p style="margin-left: 20px">If there is policy configuration conflict, the latest configuration request is applied to the device.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hideapplist"></a>**Start/HideAppList**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14399,14 +16741,34 @@ SKU Support:
 -   2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
 -   2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidechangeaccountsettings"></a>**Start/HideChangeAccountSettings**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
 
@@ -14420,14 +16782,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the user tile, and verify that "Change account settings" is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidefrequentlyusedapps"></a>**Start/HideFrequentlyUsedApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14448,14 +16830,34 @@ SKU Support:
 5.   Check that  "Show most used apps" Settings toggle is grayed out.
 6.   Check that most used apps do not appear in Start.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidehibernate"></a>**Start/HideHibernate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
 
@@ -14472,14 +16874,34 @@ SKU Support:
 > [!NOTE]
 > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidelock"></a>**Start/HideLock**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
 
@@ -14493,14 +16915,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the user tile, and verify "Lock" is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidepowerbutton"></a>**Start/HidePowerButton**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14517,14 +16959,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, and verify the power button is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hiderecentjumplists"></a>**Start/HideRecentJumplists**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14548,14 +17010,34 @@ SKU Support:
 8.   Repeat Step 2.
 9.   Right Click pinned photos app and verify that there is no jumplist of recent items.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hiderecentlyaddedapps"></a>**Start/HideRecentlyAddedApps**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14576,14 +17058,34 @@ SKU Support:
 5.   Check that "Show recently added apps" Settings toggle is grayed out.
 6.   Check that recently added apps do not appear in Start.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hiderestart"></a>**Start/HideRestart**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
 
@@ -14597,14 +17099,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hideshutdown"></a>**Start/HideShutDown**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
 
@@ -14618,14 +17140,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidesignout"></a>**Start/HideSignOut**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
 
@@ -14639,14 +17181,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the user tile, and verify "Sign out" is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hidesleep"></a>**Start/HideSleep**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
 
@@ -14660,14 +17222,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the Power button, and verify that "Sleep" is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hideswitchaccount"></a>**Start/HideSwitchAccount**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
 
@@ -14681,14 +17263,34 @@ SKU Support:
 1.   Enable policy.
 2.   Open Start, click on the user tile, and verify that "Switch account" is not available.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-hideusertile"></a>**Start/HideUserTile**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14706,14 +17308,34 @@ SKU Support:
 2.   Log off.
 3.   Log in, and verify that the user tile is gone from Start.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-importedgeassets"></a>**Start/ImportEdgeAssets**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy requires reboot to take effect.
@@ -14732,14 +17354,34 @@ SKU Support:
 3.   Sign out/in.
 4.   Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-nopinningtotaskbar"></a>**Start/NoPinningToTaskbar**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
 
@@ -14756,14 +17398,34 @@ SKU Support:
 4.   Open Start and right click on one of the app list icons.
 5.   Verify that More->Pin to taskbar menu does not show.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="start-startlayout"></a>**Start/StartLayout**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!IMPORTANT]
 > This node is set on a per-user basis and must be accessed using the following paths:
@@ -14780,22 +17442,7 @@ SKU Support:
 
 <p style="margin-left: 20px">This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="storage-enhancedstoragedevices"></a>**Storage/EnhancedStorageDevices**  
@@ -14807,8 +17454,6 @@ If you enable this policy setting, Windows will not activate unactivated Enhance
 
 If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -14822,6 +17467,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="system-allowbuildpreview"></a>**System/AllowBuildPreview**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
@@ -14837,26 +17505,34 @@ ADMX Info:
 -   1 – Allowed. Users can make their devices available for downloading and installing preview software.
 -   2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowembeddedmode"></a>**System/AllowEmbeddedMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether set general purpose device to be in embedded mode.
 
@@ -14867,25 +17543,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowexperimentation"></a>**System/AllowExperimentation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is not supported in Windows 10, version 1607.
@@ -14900,26 +17585,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowfontproviders"></a>**System/AllowFontProviders**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
 
@@ -14939,26 +17632,34 @@ SKU Support:
 
 -  After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowlocation"></a>**System/AllowLocation**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow app access to the Location service.
 
@@ -14976,26 +17677,34 @@ SKU Support:
 
 <p style="margin-left: 20px">For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowstoragecard"></a>**System/AllowStorageCard**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
 
@@ -15006,26 +17715,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowtelemetry"></a>**System/AllowTelemetry**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow the device to send diagnostic and usage telemetry data, such as Watson.
 
@@ -15091,26 +17808,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-allowusertoresetphone"></a>**System/AllowUserToResetPhone**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
 
@@ -15121,22 +17846,7 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
@@ -15144,8 +17854,6 @@ SKU Support:
 <!--StartDescription-->
 N/A
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -15159,6 +17867,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="system-disableonedrivefilesync"></a>**System/DisableOneDriveFileSync**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
 
@@ -15181,23 +17912,7 @@ ADMX Info:
 2.   Restart machine.
 3.   Verify that OneDrive.exe is not running in Task Manager.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="system-disablesystemrestore"></a>**System/DisableSystemRestore**  
@@ -15215,8 +17930,6 @@ If you disable or do not configure this policy setting, users can perform System
 
 Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -15230,31 +17943,62 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="system-telemetryproxy"></a>**System/TelemetryProxy**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *&lt;server&gt;:&lt;port&gt;*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
 
 <p style="margin-left: 20px">If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowimelogging"></a>**TextInput/AllowIMELogging**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15269,26 +18013,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowimenetworkaccess"></a>**TextInput/AllowIMENetworkAccess**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15303,26 +18055,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowinputpanel"></a>**TextInput/AllowInputPanel**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15337,26 +18097,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowjapaneseimesurrogatepaircharacters"></a>**TextInput/AllowJapaneseIMESurrogatePairCharacters**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15371,26 +18139,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowjapaneseivscharacters"></a>**TextInput/AllowJapaneseIVSCharacters**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15405,26 +18181,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowjapanesenonpublishingstandardglyph"></a>**TextInput/AllowJapaneseNonPublishingStandardGlyph**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15439,26 +18223,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowjapaneseuserdictionary"></a>**TextInput/AllowJapaneseUserDictionary**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15473,26 +18265,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowkeyboardtextsuggestions"></a>**TextInput/AllowKeyboardTextSuggestions**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15512,23 +18312,7 @@ SKU Support:
 2.  Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
 3.  Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**  
@@ -15536,14 +18320,34 @@ SKU Support:
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-allowlanguagefeaturesuninstall"></a>**TextInput/AllowLanguageFeaturesUninstall**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15558,26 +18362,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-excludejapaneseimeexceptjis0208"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15590,26 +18402,34 @@ SKU Support:
 -   0 (default) – No characters are filtered.
 -   1 – All characters except JIS0208 are filtered.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-excludejapaneseimeexceptjis0208andeudc"></a>**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15622,26 +18442,34 @@ SKU Support:
 -   0 (default) – No characters are filtered.
 -   1 – All characters except JIS0208 and EUDC are filtered.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="textinput-excludejapaneseimeexceptshiftjis"></a>**TextInput/ExcludeJapaneseIMEExceptShiftJIS**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > The policy is only enforced in Windows 10 for desktop.
@@ -15654,26 +18482,34 @@ SKU Support:
 -   0 (default) – No characters are filtered.
 -   1 – All characters except ShiftJIS are filtered.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="timelanguagesettings-allowset24hourclock"></a>**TimeLanguageSettings/AllowSet24HourClock**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
 
@@ -15682,14 +18518,34 @@ SKU Support:
 -   0 – Locale default setting.
 -   1 (default) – Set 24 hour clock.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15704,26 +18560,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default is 17 (5 PM).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15735,14 +18599,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 18 (hours).
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15757,26 +18641,69 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 8 (8 AM).
 
-
-
-
 <!--EndDescription-->
+<!--EndPolicy-->
+<!--StartPolicy-->
+<a href="" id="update-autorestartdeadlineperiodindays"></a>**Update/AutoRestartDeadlinePeriodInDays**  
+
 <!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
 
 <!--EndSKU-->
+<!--StartDescription-->
+<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
+
+<p style="margin-left: 20px">Supported values are 2-30 days.
+
+<p style="margin-left: 20px">The default value is 7 days.
+
+<!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15801,26 +18728,34 @@ SKU Support:
 
 <p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
@@ -15833,26 +18768,34 @@ SKU Support:
 -   0 – Not allowed or not configured.
 -   1 – Allowed. Accepts updates received through Microsoft Update.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15869,26 +18812,34 @@ SKU Support:
 
 <p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15908,27 +18859,34 @@ SKU Support:
 > [!NOTE]
 > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15940,14 +18898,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 15 (minutes).
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15960,14 +18938,34 @@ SKU Support:
 -   1 (default) – Auto Dismissal.
 -   2 – User Dismissal.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -15980,26 +18978,34 @@ SKU Support:
 -   16 (default) – User gets all applicable upgrades from Current Branch (CB).
 -   32 – User gets upgrades from Current Branch for Business (CBB).
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -16012,26 +19018,34 @@ SKU Support:
 > [!IMPORTANT]
 > The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16041,26 +19055,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Supported values are 0-30.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16132,27 +19154,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
 </tbody>
 </table>
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -16170,50 +19199,65 @@ SKU Support:
 
 <p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-detectionfrequency"></a>**Update/DetectionFrequency**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16225,14 +19269,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 0 days (not specified).
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16244,14 +19308,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 3 days.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16263,14 +19347,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 7 days.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -16283,27 +19387,34 @@ SKU Support:
 -   0 (default) – Allow Windows Update drivers.
 -   1 – Exclude Windows Update drivers.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-fillemptycontenturls"></a>**Update/FillEmptyContentUrls**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata.  This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the <a href="#update-updateserviceurlalternate">alternate download URL</a>).
 
@@ -16315,27 +19426,34 @@ SKU Support:
 -   0 (default) – Disabled.
 -   1 – Enabled.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: No  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
 
@@ -16357,28 +19475,34 @@ SKU Support:
 
 3.   Verify that any downloads that are above the download size limit will complete without being paused.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. 
 
@@ -16398,28 +19522,34 @@ SKU Support:
 
 3.   Verify that any downloads that are above the download size limit will complete without being paused.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16438,26 +19568,34 @@ SKU Support:
 
 <p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -16471,51 +19609,67 @@ SKU Support:
 -   0 (default) – Feature Updates are not paused.
 -   1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-PauseFeatureUpdatesStartTime"></a>**Update/PauseFeatureUpdatesStartTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
 
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16527,51 +19681,67 @@ SKU Support:
 -   0 (default) – Quality Updates are not paused.
 -   1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-PauseQualityUpdatesStartTime"></a>**Update/PauseQualityUpdatesStartTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
 
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16586,26 +19756,34 @@ SKU Support:
 -   0 (default) – User gets upgrades from Current Branch.
 -   1 – User gets upgrades from Current Branch for Business.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16625,26 +19803,34 @@ SKU Support:
 -   0 – Not configured. The device installs all applicable updates.
 -   1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16656,14 +19842,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 15 (minutes).
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16675,14 +19881,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 4 (hours).
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16705,26 +19931,34 @@ SKU Support:
 -   6 – Friday
 -   7 – Saturday
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16740,26 +19974,34 @@ SKU Support:
 
 <p style="margin-left: 20px">The default value is 3.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark"/></td>
+	<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16772,14 +20014,34 @@ SKU Support:
 -   0 (default) – Enabled
 -   1 – Disabled
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-setedurestart"></a>**Update/SetEDURestart**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
 
@@ -16788,27 +20050,34 @@ SKU Support:
 - 0 - not configured
 - 1 - configured
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > [!NOTE]
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -16843,26 +20112,34 @@ Example
         </Replace>
 ```
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
 
@@ -16879,22 +20156,7 @@ SKU Support:
 > If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.  
 > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**  
@@ -16902,14 +20164,34 @@ SKU Support:
 <!--StartDescription-->
 <p style="margin-left: 20px">This policy has been deprecated.
 
-
-
-
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowautoconnecttowifisensehotspots"></a>**Wifi/AllowAutoConnectToWiFiSenseHotspots**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow or disallow the device to automatically connect to Wi-Fi hotspots.
 
@@ -16920,26 +20202,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowinternetsharing"></a>**Wifi/AllowInternetSharing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow or disallow internet sharing.
 
@@ -16950,26 +20240,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowmanualwificonfiguration"></a>**Wifi/AllowManualWiFiConfiguration**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
 
@@ -16983,27 +20281,34 @@ SKU Support:
 > [!NOTE]
 > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
 
-
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowwifi"></a>**Wifi/AllowWiFi**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow or disallow WiFi connection.
 
@@ -17014,53 +20319,68 @@ SKU Support:
 
 <p style="margin-left: 20px">Most restricted value is 0.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): Yes  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-allowwifidirect"></a>**Wifi/AllowWiFiDirect**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. Allow WiFi Direct connection..
 
 - 0 - WiFi Direct connection is not allowed.
 - 1 - WiFi Direct connection is allowed.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wifi-wlanscanmode"></a>**Wifi/WLANScanMode**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
 
@@ -17070,26 +20390,34 @@ SKU Support:
 
 <p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
 
@@ -17098,26 +20426,34 @@ SKU Support:
 -   0 - app suggestions are not allowed.
 -   1 (default) -allow app suggestions.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="windowsinkworkspace-allowwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowWindowsInkWorkspace**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
 
@@ -17127,22 +20463,7 @@ SKU Support:
 -   1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
 -   2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**  
@@ -17154,8 +20475,6 @@ If you enable this policy setting, no app notifications are displayed on the loc
 
 If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -17176,8 +20495,6 @@ If you enable this policy setting, the PC's network connectivity state cannot be
 
 If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
 
-
-
 <!--EndDescription-->
 <!--StartADMX-->
 ADMX Info:  
@@ -17191,6 +20508,29 @@ ADMX Info:
 <!--StartPolicy-->
 <a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
 
@@ -17204,80 +20544,102 @@ ADMX Info:
 1.   Enable policy.
 2.   Verify that the Switch account button in Start is hidden.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.  
 
 - 0 - your PC cannot discover or project to other devices.
 - 1 - your PC can discover and project to other devices
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.  
 
 - 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
 - 1 - your PC can discover and project to other devices over infrastructure.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowprojectiontopc"></a>**WirelessDisplay/AllowProjectionToPC**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
 
@@ -17288,49 +20650,41 @@ SKU Support:
 -   0 - projection to PC is not allowed. Always off and the user cannot enable it.
 -   1 (default) - projection to PC is allowed. Enabled only above the lock screen.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-Allowprojectiontopcoverinfrastructure"></a>**WirelessDisplay/AllowProjectionToPCOverInfrastructure**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.  
 
 - 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
 - 1 - your PC is discoverable and other devices can project to it over infrastructure.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Business: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: Yes  
--   Mobile Enterprise: Yes  
--   IoT Core: Yes  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**  
@@ -17338,19 +20692,34 @@ SKU Support:
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703.
 
-
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="wirelessdisplay-requirepinforpairing"></a>**WirelessDisplay/RequirePinForPairing**  
 
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>MobileEnterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
 
@@ -17361,26 +20730,262 @@ SKU Support:
 -   0 (default) - PIN is not required.
 -   1 - PIN is required.
 
-
-
 <!--EndDescription-->
-<!--StartSKU-->
-SKU Support:  
--   Home: No  
--   Pro: Yes  
--   Enterprise: Yes  
--   Education: Yes  
--   Mobile: No  
--   Mobile Enterprise: No  
--   IoT Core: No  
--   Can be set using Exchange Active Sync (EAS): No  
-
-<!--EndSKU-->
 <!--EndPolicy-->
 <hr/>
+
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+
 <!--EndPolicies-->
 
+<!--StartIoTCore-->
+## <a href="" id="iotcore"></a>Policies Supported by IoT Core  
 
+-   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)  
+-   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)  
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)  
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)  
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)  
+-   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)  
+-   [Browser/AllowAutofill](#browser-allowautofill)  
+-   [Browser/AllowBrowser](#browser-allowbrowser)  
+-   [Browser/AllowCookies](#browser-allowcookies)  
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)  
+-   [Browser/AllowInPrivate](#browser-allowinprivate)  
+-   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)  
+-   [Browser/AllowPopups](#browser-allowpopups)  
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)  
+-   [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)  
+-   [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)  
+-   [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)  
+-   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
+-   [Connectivity/AllowNFC](#connectivity-allownfc)  
+-   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
+-   [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)  
+-   [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)  
+-   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
+-   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+-   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
+-   [System/AllowEmbeddedMode](#system-allowembeddedmode)  
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [System/AllowStorageCard](#system-allowstoragecard)  
+-   [System/TelemetryProxy](#system-telemetryproxy)  
+-   [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)  
+-   [Update/AllowUpdateService](#update-allowupdateservice)  
+-   [Update/PauseDeferrals](#update-pausedeferrals)  
+-   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)  
+-   [Update/RequireUpdateApproval](#update-requireupdateapproval)  
+-   [Update/ScheduledInstallDay](#update-scheduledinstallday)  
+-   [Update/ScheduledInstallTime](#update-scheduledinstalltime)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)  
+-   [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)  
+-   [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)  
+-   [Wifi/AllowWiFi](#wifi-allowwifi)  
+-   [Wifi/WLANScanMode](#wifi-wlanscanmode)  
+<!--EndIoTCore-->
+
+<!--StartHoloLens-->
+## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business
+
+-   [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+-   [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+-   [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+-   [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+-   [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+-   [Browser/AllowCookies](#browser-allowcookies)
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+-   [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+-   [Browser/AllowPopups](#browser-allowpopups)
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+-   [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+-   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+-   [Experience/AllowCortana](#experience-allowcortana)
+-   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+-   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [System/AllowFontProviders](#system-allowfontproviders)  
+-   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+-   [Settings/AllowDateTime](#settings-allowdatetime)
+-   [Settings/AllowVPN](#settings-allowvpn)
+-   [System/AllowLocation](#system-allowlocation)
+-   [System/AllowTelemetry](#system-allowtelemetry)
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)
+-   [Update/AllowUpdateService](#update-allowupdateservice)
+-   [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+-   [Update/RequireUpdateApproval](#update-requireupdateapproval)
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)
+<!--EndHoloLens-->
+
+<!--StartSurfaceHub-->
+## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub
+
+-   [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)  
+-   [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+-   [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+-   [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
+-   [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+-   [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+-   [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)  
+-   [Browser/AllowCookies](#browser-allowcookies)
+-   [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
+-   [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+-   [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)  
+-   [Browser/AllowPopups](#browser-allowpopups)
+-   [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+-   [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+-   [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)  
+-   [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)  
+-   [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)  
+-   [Browser/HomePages](#browser-homepages)
+-   [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)  
+-   [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
+-   [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+-   [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)  
+-   [Camera/AllowCamera](#camera-allowcamera)
+-   [ConfigOperations/ADMXInstall](#configoperations-admxinstall)  
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+-   [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)  
+-   [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
+-   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+-   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
+-   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
+-   [Defender/AllowCloudProtection](#defender-allowcloudprotection)
+-   [Defender/AllowEmailScanning](#defender-allowemailscanning)
+-   [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
+-   [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
+-   [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
+-   [Defender/AllowIOAVProtection](#defender-allowioavprotection)
+-   [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
+-   [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
+-   [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
+-   [Defender/AllowScriptScanning](#defender-allowscriptscanning)
+-   [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
+-   [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
+-   [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
+-   [Defender/ExcludedExtensions](#defender-excludedextensions)
+-   [Defender/ExcludedPaths](#defender-excludedpaths)
+-   [Defender/ExcludedProcesses](#defender-excludedprocesses)
+-   [Defender/PUAProtection](#defender-puaprotection)
+-   [Defender/RealTimeScanDirection](#defender-realtimescandirection)
+-   [Defender/ScanParameter](#defender-scanparameter)
+-   [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
+-   [Defender/ScheduleScanDay](#defender-schedulescanday)
+-   [Defender/ScheduleScanTime](#defender-schedulescantime)
+-   [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
+-   [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
+-   [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
+-   [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
+-   [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
+-   [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
+-   [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
+-   [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
+-   [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
+-   [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
+-   [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
+-   [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
+-   [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
+-   [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
+-   [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
+-   [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
+-   [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
+-   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+-   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
+-   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
+-   [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)  
+-   [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)  
+-   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
+-   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
+-   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+-   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
+-   [System/AllowFontProviders](#system-allowfontproviders) 
+-   [System/AllowLocation](#system-allowlocation)
+-   [System/AllowTelemetry](#system-allowtelemetry)
+-   [TextInput/AllowIMELogging](#textinput-allowimelogging)
+-   [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
+-   [TextInput/AllowInputPanel](#textinput-allowinputpanel)
+-   [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
+-   [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
+-   [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
+-   [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
+-   [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
+-   [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
+-   [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+-   [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)  
+-   [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)  
+-   [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)  
+-   [Update/AllowAutoUpdate](#update-allowautoupdate)
+-   [Update/AllowUpdateService](#update-allowupdateservice)
+-   [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)  
+-   [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)  
+-   [Update/BranchReadinessLevel](#update-branchreadinesslevel)
+-   [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
+-   [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+-   [Update/DetectionFrequency](#update-detectionfrequency)  
+-   [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
+-   [Update/PauseQualityUpdates](#update-pausequalityupdates)
+-   [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)  
+-   [Update/ScheduleRestartWarning](#update-schedulerestartwarning)  
+-   [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)  
+-   [Update/UpdateServiceUrl](#update-updateserviceurl)
+-   [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)  
+<!--EndSurfaceHub-->
+
+<!--StartEAS-->
+## <a href="" id="eas"></a>Policies that can be set using Exchange Active Sync (EAS)  
+
+-   [Browser/AllowBrowser](#browser-allowbrowser)  
+-   [Camera/AllowCamera](#camera-allowcamera)  
+-   [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)  
+-   [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)  
+-   [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)  
+-   [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)  
+-   [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)  
+-   [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)  
+-   [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)  
+-   [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)  
+-   [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)  
+-   [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)  
+-   [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)  
+-   [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)  
+-   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
+-   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
+-   [System/AllowStorageCard](#system-allowstoragecard)  
+-   [System/TelemetryProxy](#system-telemetryproxy)  
+-   [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)  
+-   [Wifi/AllowWiFi](#wifi-allowwifi)  
+<!--EndEAS-->
 
 ## Examples
 
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
new file mode 100644
index 0000000000..239e679672
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -0,0 +1,55 @@
+---
+title: TPMPolicy CSP
+description: TPMPolicy CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+
+The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The following diagram shows the TPMPolicy configuration service provider in tree format.
+
+![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png)
+
+<a href="" id="--device-vendor-msft-tpmpolicy"></a>**./Device/Vendor/MSFT/TPMPolicy**  
+<p style="margin-left: 20px">Defines the root node.</p>
+
+<a href="" id="isactivezeroexhaust"></a>**IsActiveZeroExhaust**  
+<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
+
+<ul>
+<li>There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. </li>
+<li>There should be no traffic during installation of Windows and first logon when local ID is used.</li>
+<li>Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.</li>
+<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.</li>
+</ul>
+
+Here is an example:
+
+``` syntax
+                <Replace>
+                    <CmdID>101</CmdID>
+                    <Item>
+                        <Target>
+                            <LocURI>
+                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
+                            </LocURI>
+                        </Target>
+                        <Meta>
+                            <Format>bool</Format>
+                                <Type>text/plain</Type>
+                        </Meta>
+                        <Data>true</Data>
+                    </Item>
+                </Replace>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
new file mode 100644
index 0000000000..35a90ff87b
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -0,0 +1,71 @@
+---
+title: TPMPolicy DDF file
+description: TPMPolicy DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy DDF file
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The XML below is the current version for this CSP. 
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+    "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+    [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+    <VerDTD>1.2</VerDTD>
+    <Node>
+        <NodeName>TPMPolicy</NodeName>
+        <Path>./Vendor/MSFT</Path>
+        <DFProperties>
+            <AccessType>
+                <Get />
+            </AccessType>
+            <DFFormat>
+                <node />
+            </DFFormat>
+            <Occurrence>
+                <One />
+            </Occurrence>
+            <Scope>
+                <Permanent />
+            </Scope>
+            <DFType>
+                <MIME>com.microsoft/1.0/MDM/TPMPolicy</MIME>
+            </DFType>
+        </DFProperties>
+        <Node>
+            <NodeName>IsActiveZeroExhaust</NodeName>
+            <DFProperties>
+                <AccessType>
+                    <Get />
+                    <Replace />
+                </AccessType>
+                <DefaultValue>False</DefaultValue>
+                <DFFormat>
+                    <bool />
+                </DFFormat>
+                <Occurrence>
+                    <One />
+                </Occurrence>
+                <Scope>
+                    <Permanent />
+                </Scope>
+                <DFType>
+                    <MIME>text/plain</MIME>
+                </DFType>
+            </DFProperties>
+        </Node>
+    </Node>
+</MgmtTree>
+``` 
\ No newline at end of file
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index a308149484..5f3d54fbb1 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -240,17 +240,13 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
 
 ### <a href="" id="how-a-group-policy-policy-category-path-and-name-are-mapped-to-a-mdm-area-and-policy-name"></a>How a Group Policy policy category path and name are mapped to a MDM area and policy name
 
-Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifests (extension **wm.xml**) that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. 
+Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. 
 
 `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
 
-The **wm.xml** for each mapped area can be found in its own directory under:
-
-`\\SDXROOT\onecoreuap\admin\enterprisemgmt\policymanager\policydefinition\`
-
 Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
 
-**Snippet of wm.xml for AppVirtualization area:**
+**Snippet of manifest for AppVirtualization area:**
 
 ```XML
 <identity xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"  xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" owner="Microsoft" namespace="Windows-DeviceManagement-PolicyDefinition" name="AppVirtualization">
diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
index 17d48bf9fe..3cfa5fbda0 100644
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@@ -24,8 +24,27 @@ author: nickbrower
 
 Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
 
-When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys.
+When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:
 
+- Software\Policies\Microsoft\Office\
+- Software\Microsoft\Office\
+- Software\Microsoft\Windows\CurrentVersion\Explorer\
+- Software\Microsoft\Internet Explorer\
+- software\policies\microsoft\shared tools\proofing tools\
+- software\policies\microsoft\imejp\
+- software\policies\microsoft\ime\shared\
+- software\policies\microsoft\shared tools\graphics filters\
+- software\policies\microsoft\windows\currentversion\explorer\
+- software\policies\microsoft\softwareprotectionplatform\
+- software\policies\microsoft\officesoftwareprotectionplatform\
+- software\policies\microsoft\windows\windows search\preferences\
+- software\policies\microsoft\exchange\
+- software\microsoft\shared tools\proofing tools\
+- software\microsoft\shared tools\graphics filters\
+- software\microsoft\windows\windows search\preferences\
+- software\microsoft\exchange\
+- software\policies\microsoft\vba\security\
+- software\microsoft\onedrive 
 
 ## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
 
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index adf99d68fe..8a06655003 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -122,6 +122,9 @@ When you have the Start layout that you want your users to see, use the [Export-
     </tbody>
     </table>
 
+>[!IMPORTANT]
+>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. 
+
 ## Configure a partial Start layout
 
 
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 33a512ae37..4c7a24ae08 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -15,7 +15,7 @@ author: jdeckerms
 
 Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. 
 
-When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. 
+When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
 
 The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).
 
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index c103eb3576..40ccf85845 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -160,35 +160,40 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
 
 - By using a path to a shortcut link (.lnk file) to a Windows desktop application.
 
-    To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. 
+  >[!NOTE]
+  >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in.
 
-    The following example shows how to pin the Command Prompt:
+  To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. 
 
-    ```XML
-    <start:DesktopApplicationTile
+  The following example shows how to pin the Command Prompt:
+
+  ```XML
+  <start:DesktopApplicationTile
           DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
           Size="2x2"
           Row="0"
           Column="4"/>
-    ```
+  ```
     
-    You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
+  You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
 
-    If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
+  If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
 
 - By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
 
-    To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
+  You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
 
-    The following example shows how to pin the Internet Explorer Windows desktop application:
+  To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
 
-    ```XML
+  The following example shows how to pin the Internet Explorer Windows desktop application:
+
+  ```XML
     <start:DesktopApplicationTile
           DesktopApplicationID="Microsoft.Windows.Explorer"
           Size="2x2"
           Row="0"
           Column="2"/>
-    ```
+  ```
     
 
 You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
@@ -205,6 +210,9 @@ The following example shows how to create a tile of the Web site's URL, which yo
           Column="2"/>
 ```
 
+>[!NOTE]
+>In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL.
+
 #### start:SecondaryTile
 
 You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
@@ -273,6 +281,9 @@ The following example shows how to modify your LayoutModification.xml file to ad
 
 You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start.
 
+>[!NOTE]
+>The OEM must have installed Office for this tag to work.
+
 The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start:
 
 ```XML
@@ -289,6 +300,9 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay
 
 You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group.
 
+>[!NOTE]
+>The OEM must have installed the Office trial installer for this tag to work.
+
 The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file:
 
 ```XML
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index b01537fa06..87134c472f 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -73,16 +73,23 @@ MBR2GPT: Validation completed successfully
 
 In the following example:
 
-1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 
 2. The MBR2GPT tool is used to convert disk 0.
-3. The DISKPART tool displays that disk 0 is now using the GPT format.
+3. The DiskPart tool displays that disk 0 is now using the GPT format.
 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
 5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. 
 
 >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
 
 ```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
 DISKPART> list volume
 
   Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
@@ -140,7 +147,7 @@ MBR2GPT: Fixing drive letter mapping
 MBR2GPT: Conversion completed successfully
 MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
 
-X:\>diskpart
+X:\>DiskPart
 
 Microsoft DiskPart version 10.0.15048.0
 
@@ -364,9 +371,16 @@ You can also view the partition type of a disk by opening the Disk Management to
 ![Volumes](images/mbr2gpt-volume.PNG)
 
 
-If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example:
+If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
 
 ```
+X:\>DiskPart
+
+Microsoft DiskPart version 10.0.15048.0
+
+Copyright (C) Microsoft Corporation.
+On computer: MININT-K71F13N
+
 DISKPART> list disk
 
   Disk ###  Status         Size     Free     Dyn  Gpt
diff --git a/windows/deployment/update/images/uc-01-wdav.png b/windows/deployment/update/images/uc-01-wdav.png
new file mode 100644
index 0000000000..c0ef37ebc6
Binary files /dev/null and b/windows/deployment/update/images/uc-01-wdav.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png
new file mode 100644
index 0000000000..266c5b7210
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-assessment.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png
new file mode 100644
index 0000000000..977478fb74
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-overview.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png
new file mode 100644
index 0000000000..2c6c355ca4
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-prot-status.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png
new file mode 100644
index 0000000000..733bfb6ae7
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png
new file mode 100644
index 0000000000..d914960a7a
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png
new file mode 100644
index 0000000000..7d8021b02e
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png
new file mode 100644
index 0000000000..cd500c2cb3
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png
new file mode 100644
index 0000000000..30e2e2352f
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-log.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png
new file mode 100644
index 0000000000..c7d1a436fe
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-query.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png
new file mode 100644
index 0000000000..ada9c09bbf
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-threat-status.png differ
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index f6c1878943..822dbf7bd1 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,6 +1,7 @@
 ---
 title: Get started with Update Compliance (Windows 10)
-description: Explains how to configure Update Compliance.
+description: Configure Update Compliance in OMS to see the status of updates and antimalware protection on devices in your network.
+keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -14,88 +15,90 @@ This topic explains the steps necessary to configure your environment for Window
 
 Steps are provided in sections that follow the recommended setup process:
 1.	Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2.	[Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite
-3.	[Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices
+2.	[Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3.	[Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
 
-## Update Compliance Prerequisites
+## Update Compliance prerequisites
 
 Update Compliance has the following requirements: 
 1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 
 2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 
-3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
+
+Service | Endpoint
+--- | ---
+Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
+Windows Error Reporting | watson.telemetry.microsoft.com
+Online Crash Analysis | oca.telemetry.microsoft.com
+
+
+ 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
 
-    <TABLE BORDER=1>
-    <TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
-    <TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
-    <BR>settings-win.data.microsoft.com
-    <TR><TD>Windows Error Reporting	<TD>watson.telemetry.microsoft.com
-    <TR><TD>Online Crash Analysis	<TD>oca.telemetry.microsoft.com
-    </TABLE>
 
 ## Add Update Compliance to Microsoft Operations Management Suite
 
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
 
 If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
 
 If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
 
-1.	Go to [Operations Management Suite’s page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+
+
+   [![](images/uc-02a.png)](images/uc-02.png)
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-02.png"><img src="images/uc-02a.png"></A>
-    <TABLE>
 
 2.	Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-03.png"><img src="images/uc-03a.png"></A>
-    <TABLE>
+
+   [![](images/uc-03a.png)](images/uc-03.png)
+
 
 3.	Create a new OMS workspace. 
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-04.png"><img src="images/uc-04a.png"></A>
-    <TABLE>
 
+   [![](images/uc-04a.png)](images/uc-04.png)
+ 
 4.	Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-05.png"><img src="images/uc-05a.png"></A>
-    <TABLE>
+
+   [![](images/uc-05a.png)](images/uc-05.png)
+
 
 5.	If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-06.png"><img src="images/uc-06a.png"></A>
-    <TABLE>
+
+   [![](images/uc-06a.png)](images/uc-06.png)
+
 
 6.	To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-07.png"><img src="images/uc-07a.png"></A>
-    <TABLE>
 
-7.	Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace. 
+   [![](images/uc-07a.png)](images/uc-07.png)
+
+
+7.	Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. 
+
+ 
+   [![](images/uc-08a.png)](images/uc-08.png)
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-08.png"><img src="images/uc-08a.png"></A>
-    <TABLE>
 
 8.	Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-09.png"><img src="images/uc-09a.png"></A>
-    <TABLE>
+
+   [![](images/uc-09a.png)](images/uc-09.png)
+
 
 9.	Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
 
-    <P><TABLE BORDER=1><TR><TD>
-    <A HREF="images/uc-10.png"><img src="images/uc-10a.png"></A>
-    <TABLE>
+
+   [![](images/uc-10a.png)](images/uc-10.png)
+
 
 After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
 
+>[!NOTE]
 >You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
 
 ## Deploy your Commercial ID to your Windows 10 devices
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 9ee49a1e9d..1be2149594 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -1,6 +1,7 @@
 ---
-title: Monitor Windows Updates with Update Compliance (Windows 10)
-description: Introduction to Update Compliance.
+title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10)
+description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network.
+keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -8,26 +9,26 @@ ms.pagetype: deploy
 author: greg-lindsay
 ---
 
-# Monitor Windows Updates with Update Compliance
+# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
 
 ## Introduction
 
-With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsoft’s new servicing strategy: [Windows as a Service](waas-overview.md).
+With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
 
 Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
 
-Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. 
+Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. 
 
 Update Compliance provides the following:
 
-- An overview of your organization’s devices that just works.
-- Dedicated drill-downs for devices that might need attention.
-- An inventory of devices, including the version of Windows they are running and their update status.
-- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
-- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
-- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
+- Dedicated drill-downs for devices that might need attention
+- An inventory of devices, including the version of Windows they are running and their update status
+- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
+- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
+- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
+- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
 
-See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
+See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
 
 - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
 - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
@@ -36,19 +37,20 @@ An overview of the processes used by the Update Compliance solution is provided
 
 ## Update Compliance architecture
  
-The Update Compliance architecture and data flow is summarized by the following five step process:
+The Update Compliance architecture and data flow is summarized by the following five-step process:
 
 **(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
 **(2)** Telemetry data is analyzed by the Update Compliance Data Service.<BR>
 **(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.<BR>
 **(4)** Telemetry data is available in the Update Compliance solution.<BR>
-**(5)** You are able to monitor and troubleshoot Windows updates on your network.<BR>
+**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.<BR>
 
 These steps are illustrated in following diagram:
 
-![Update Compliance architecture](images/uc-01.png)
+![Update Compliance architecture](images/uc-01-wdav.png)
 
->This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
+>[!NOTE]
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.
 
 
 
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 39d8b0e012..9daa1a5103 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -19,6 +19,7 @@ Update Compliance:
 - Provides a workflow that can be used to quickly identify which devices require attention. 
 - Enables you to track deployment compliance targets for updates.
 
+>[!NOTE]
 >Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
 
 In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow. 
@@ -31,7 +32,8 @@ Update Compliance has the following primary blades:
 3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
 4. [Overall Feature Update Status](#overall-feature-update-status)
 5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
-6. [List of Queries](#list-of-queries)
+6. [Windows Defender Antivirus Assessment](#wdav-assessment)
+7. [List of Queries](#list-of-queries)
 
 
 ## OS Update Overview
@@ -41,6 +43,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b
 ![OS Update Overview](images/uc-11.png)
 
 
+
 This blade is divided into three sections: 
 - Device Summary: 
 - Needs Attention Summary
@@ -139,6 +142,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic
 
 Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below. 
 
+<a id="wdav-assessment"></a>
+## Windows Defender Antivirus Assessment
+
+You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
+
+![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
+
+The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
+
+If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
+
+There are two blades in the Windows Defender AV Assessment section:
+
+- Protection status
+- Threats status
+
+![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png)
+
+The **Protection Status** blade shows three key measurements:
+
+1. How many devices have old or current signatures (also known as protection updates or definitions)
+2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
+
+
+![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png)
+
+See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
+
+The **Threats Status** blade shows the following measurements:
+
+1. How many devices that have threats that have been remediated (removed or quarantined on the device)
+2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
+
+
+![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png)
+
+Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
+
+> [!IMPORTANT]
+> The data reported in Update Compliance can be delayed by up to 24 hours. 
+
+See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
+
+As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below. 
+
+
+### Investigate individual devices and threats
+
+
+Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
+
+![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png)
+
+You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
+
+![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png)
+
+
+
+
+
+
+
+
+You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
+
+![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png)
+
+
+
+Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
+
+![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png)
+
+
+You can also click the **. . .** button next to each label to instantly filter by that label or value.
+
+![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png)
+
+You can create your own queries by using a query string in the following format:
+
+```
+Type:<Group type> <Label>="<Value>"
+```
+
+You can use the following `<Group type>` options to scope your query:
+- `Type:WDAVStatus` to query information related to signature and real-time protection status
+- `Type:WDAVThreat` to query information about threat remediation and specific threats
+
+
+The `<Label>`, and `<Value>` fields are listed in the following table. All labels and values are case sensitive and must be entered as written below (including spaces).
+
+
+For queries that use `Type:WDAVStatus`, you can use the following labels and values.
+
+Label | Value
+---|---
+`Computer`|\<computer name>
+`ComputerID`|\<computer ID>
+`OSName`|\<Operating system name>
+`UpdateStatus`|`Not assessed` <br />`Signature up-to-date` <br />`Signature out-of-date`
+`DetailedStatus`|`Unknown` <br />`Non-Microsoft AV` <br />`No AV` <br />`AV expired` <br />`Disabled by GP` <br />`Disabled by LP` <br />`Recently disappeared`
+`ProtectionState`|`Real-time protection is off `<br />`Real-time protection is on`
+`MoreInformation`| \<free text string>
+`LastScan`| \<date and time of the last scan>
+
+
+
+For queries that use `Type:WDAVThreat`, you can use the following labels and values.
+
+ Label | Value
+ ---|---
+`Computer`|\<computer name>
+`ComputerID`|\<computer ID>
+`ThreatName`|\<detected threat name>
+`ThreatStatus`|`Remediation failed`<br/>`Remediated`
+`ThreatAction`|`Remediation pending reboot`
+`ThreatError`|`Disk full`<br/>`Network issue`<br/>`Operation aborted`
+`MoreInformation`|\<free text string>
+`LastScan`|\<date and time of the last scan>
+
+
+You can add multiple label-value pairs in the same query to refine and filter the results.
+
+![Add multiple value and name pairs in your query, separated by spaces](images/update-compliance-wdav-status-query.png)
+
+
 
 ## CB, CBB, LTSB Deployment Status
 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 2df47d49ca..18983b1998 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -44,7 +44,7 @@ With Windows Update for Business, you can set a device to be on either the Curre
 | GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
 | MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
-| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
+| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
 
 Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
 
diff --git a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
index 494677a20d..964db9c8fc 100644
--- a/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-branches-windows-10-updates.md
@@ -60,7 +60,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except
 
 - In Windows 10, version 1511:
 
-    ../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade**
+    ../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade**
 
 - In Windows 10, version 1607:
 
@@ -70,7 +70,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except
 
 - In Windows 10 Mobile Enterprise, version 1511:
 
-    ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
+    ../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade
 
 - In Windows 10 Mobile Enterprise, version 1607:
 
diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
index 8fe0d076bf..68eea6f9a8 100644
--- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
+++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md
@@ -16,17 +16,19 @@ This topic provides information on additional features that are available in Upg
 
 The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
 
-> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
+> [!NOTE] 
+> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
 
 ### Install prerequisite security update for Internet Explorer
 
 Ensure the following prerequisites are met before using site discovery:
 
-1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. 
-2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
-3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. 
+1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
+   - For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
+   - For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
+2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 set **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
 
-    If necessary, you can also enable it by creating the following registry entry. 
+    If necessary, you can also enable data collection by creating the following registry entry. 
 
     HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection 
 
diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
deleted file mode 100644
index f62ee298ba..0000000000
--- a/windows/device-security/windows-security-baselines.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Windows security baselines (Windows 10)
-description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-
-# Windows security baselines
-
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-	
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
-
- > [!NOTE]  
- > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).  
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and 
-customers.  
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be. 
-
-In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats. 
-
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
- 
-## How can you use security baselines?
- 
- You can use security baselines to:
- 
- - Ensure that user and device configuration settings are compliant with the baseline. 
- - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
- 
-## Where can I get the security baselines?
- 
- Here's a list of security baselines that are currently available.
-
- > [!NOTE]  
- > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
-
-### Windows 10 security baselines
- 
- -  [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- -  [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- -  [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
-### Windows Server security baselines
-
- -  [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- -  [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
-
-## How can I monitor security baseline deployments?
-
-Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
-
-You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.
- 
\ No newline at end of file
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index c0eb96f69d..681794b4f9 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -1,5 +1,5 @@
 # [Threat protection](index.md)
-
+## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
 ### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
 ### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 3a1c5ca1c6..1c76376a0b 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ You'll also see additional links for:
 - Reporting on Windows Defender Antivirus protection
 
 > [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. 
 
 
 Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options  
@@ -84,6 +84,6 @@ Topic | Description
 ---|---
 [Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
 [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
+[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
 
 
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 12e13918c2..89be197b89 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
 
 Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
 
-The cloud-delivered protection is �always-on� and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
+The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
 
 
 ## Product updates
diff --git a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 2ace158d7c..dda75ed42a 100644
--- a/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -28,6 +28,9 @@ There are a number of ways you can review protection status and alerts, dependin
 
 You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).  
 
+Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
+
+
 If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx). 
 
 Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and  [Windows Defender events](troubleshoot-windows-defender-antivirus.md). 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 7fa6451710..6bef064955 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -31,11 +31,11 @@ See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/wi
 
 If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
 
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
+In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
 
-You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
 
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
 
 
 ## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b350ed550f..b3305b6b1c 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -36,12 +36,12 @@ author: iaanw
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
-See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
 
 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
 
 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
-- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
+- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
 
 
 ## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 0a4d40cb54..2a053cc803 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -35,12 +35,16 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
 
 Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
 
-The app also includes the settings and status of:
+> [!IMPORTANT] 
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
 
-- The PC (as "device health")
-- Windows Firewall
-- Windows Defender SmartScreen Filter
-- Parental and Family Controls
+> [!WARNING] 
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. 
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed. 
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
 
 >[!NOTE]
 >The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
diff --git a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index f0976431f1..78add1c8f2 100644
--- a/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -25,52 +25,262 @@ Understand what data fields are exposed as part of the alerts API and how they m
 
 
 ##	Alert API fields and portal mapping
+The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
+
+
+The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
 Field numbers match the numbers in the images below.
 
-Portal label  | SIEM field name | Description
-:---|:---|:---
-1	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP
-2	|	Alert ID	| Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
-3	| AlertTitle | Alert	title
-4	| Actor |	Actor name
-5	| AlertTime |	Last time the alert was observed
-6 | Severity |	Alert severity
-7	| Category |	Alert category
-8 | Status in queue | Alert status in queue
-9	| ComputerDnsName|	Computer DNS name and machine name
-10| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
-11 | UserName	| The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
-12 | FileName	| File name
-13 | FileHash	| Sha1 of file observed
-14 | FilePath	| File path
-15 | IpAddress |	IP of the IOC (when relevant)
-16 | URL	| URL of the IOC (when relevant)  
-17 | FullId	| (Internal only)  <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
-18 | AlertPart	| (Internal only)  <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
-19 | LastProccesedTimeUtc | (Internal only)  <br><br>	Time the alert was last processed in Windows Defender ATP.
-20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
-21 | ThreatCategory| Windows Defender AV threat category
-22 | ThreatFamily |	Windows Defender AV family name
-23 | RemediationAction |	Windows Defender AV threat category	 |
-24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected.
-25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated.
-26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
-27 | Md5 | Md5 of file observed	(when available)
-28 | Sha256 |	Sha256 of file observed	(when available)
-29	|	ThreatName	| Windows Defender AV threat name
+<table style="table-layout:fixed;width:100%" >
+  <tr>
+    <th class>Portal label</th>
+    <th class>SIEM field name</th>
+    <th class>ArcSight field</th>
+    <th class>Example value</th>
+    <th class>Description</th>
+    <th class></th>
+  </tr>
+  <tr>
+    <td class>1</td>
+    <td class>AlertTitle</td>
+    <td class>name</td>
+    <td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>2</td>
+    <td class>Severity</td>
+    <td class>deviceSeverity</td>
+    <td class>Medium</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>3</td>
+    <td class>Category</td>
+    <td class>deviceEventCategory</td>
+    <td class>Privilege Escalation</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>4</td>
+    <td class>Source</td>
+    <td class>sourceServiceName</td>
+    <td class>WindowsDefenderATP</td>
+    <td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>5</td>
+    <td class>MachineName</td>
+    <td class>sourceHostName</td>
+    <td class>liz-bean</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>6</td>
+    <td class>FileName</td>
+    <td class>fileName</td>
+    <td class>Robocopy.exe</td>
+    <td class>Available for alerts associated with a file or process.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>7</td>
+    <td class>FilePath</td>
+    <td class>filePath</td>
+    <td class>C:\Windows\System32\Robocopy.exe</td>
+    <td class>Available for alerts associated with a file or process. \</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>8</td>
+    <td class>UserDomain</td>
+    <td class>sourceNtDomain</td>
+    <td class>contoso</td>
+    <td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>9</td>
+    <td class>UserName</td>
+    <td class>sourceUserName</td>
+    <td class>liz-bean</td>
+    <td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>10</td>
+    <td class>Sha1</td>
+    <td class>fileHash</td>
+    <td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
+    <td class>Available for alerts associated with a file or process.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>11</td>
+    <td class>Md5</td>
+    <td class>deviceCustomString5</td>
+    <td class>55394b85cb5edddff551f6f3faa9d8eb</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>12</td>
+    <td class>Sha256</td>
+    <td class>deviceCustomString6</td>
+    <td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>13</td>
+    <td class>ThreatName</td>
+    <td class>eviceCustomString1</td>
+    <td class>Trojan:Win32/Skeeyah.A!bit</td>
+    <td class>Available for Windows Defender AV alerts.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>14</td>
+    <td class>IpAddress</td>
+    <td class>sourceAddress</td>
+    <td class>218.90.204.141</td>
+    <td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>15</td>
+    <td class>Url</td>
+    <td class>requestUrl</td>
+    <td class>down.esales360.cn</td>
+    <td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>16</td>
+    <td class>RemediationIsSuccess</td>
+    <td class>deviceCustomNumber2</td>
+    <td class>TRUE</td>
+    <td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>17</td>
+    <td class>WasExecutingWhileDetected</td>
+    <td class>deviceCustomNumber1</td>
+    <td class>FALSE</td>
+    <td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>18</td>
+    <td class>AlertId</td>
+    <td class>externalId</td>
+    <td class>636210704265059241_673569822</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>19</td>
+    <td class>LinkToWDATP</td>
+    <td class>flexString1</td>
+    <td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
+    <td class>Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>20</td>
+    <td class>AlertTime</td>
+    <td class>deviceReceiptTime</td>
+    <td class>2017-05-07T01:56:59.3191352Z</td>
+    <td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>21</td>
+    <td class>MachineDomain</td>
+    <td class>sourceDnsDomain</td>
+    <td class>contoso.com</td>
+    <td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>22</td>
+    <td class>Actor</td>
+    <td class>deviceCustomString4</td>
+    <td class></td>
+    <td class>Available for alerts related to a known actor group.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>21+5</td>
+    <td class>ComputerDnsName</td>
+    <td class>No mapping</td>
+    <td class>liz-bean.contoso.com</td>
+    <td class>The machine fully qualified domain name. Value available for every alert.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>LogOnUsers</td>
+    <td class>sourceUserId</td>
+    <td class>contoso\liz-bean; contoso\jay-hardee</td>
+    <td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class>Internal field</td>
+    <td class>LastProcessedTimeUtc</td>
+    <td class>No mapping</td>
+    <td class>2017-05-07T01:56:58.9936648Z</td>
+    <td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceVendor</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceProduct</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
+    <td class></td>
+  </tr>
+  <tr>
+    <td class></td>
+    <td class>Not part of the schema</td>
+    <td class>deviceVersion</td>
+    <td class></td>
+    <td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
+    <td class></td>
+  </tr>
+</table>
 
->[!NOTE]
-> Fields #21-29 are related to Windows Defender Antivirus alerts.
 
-![Image of actor profile with numbers](images/atp-actor.png)
+![Image of alert with numbers](images/atp-alert-page.png)
 
-![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
+![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
 
-![Image of new alerts with numbers](images/atp-alert-source.png)
+![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
 
-![Image of machine timeline with numbers](images/atp-remediated-alert.png)
+![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
 
-![Image of file details](images/atp-file-details.png)
+![Image machine view](images/atp-mapping6.png)
+
+![Image browser URL](images/atp-mapping5.png)
+
+![Image actor alert](images/atp-mapping7.png)
 
 
 ## Related topics
diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index cb875edc71..1976fb8703 100644
--- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -24,14 +24,14 @@ localizationpriority: high
 
 <span id="sccm1606"/>
 ## Configure endpoints using System Center Configuration Manager (current branch) version 1606
-System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
+System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
 
 >[!NOTE]
 > If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
 
 <span id="sccm1602"/>
 ## Configure endpoints using System Center Configuration Manager earlier versions
-You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
+You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
 
 - System Center 2012 Configuration Manager
 - System Center 2012 R2 Configuration Manager
diff --git a/windows/threat-protection/windows-defender-atp/images/1.png b/windows/threat-protection/windows-defender-atp/images/1.png
new file mode 100644
index 0000000000..70ce314c00
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png b/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png
new file mode 100644
index 0000000000..a23b78fd2f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png
new file mode 100644
index 0000000000..238b7e880b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-details.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
new file mode 100644
index 0000000000..33cb7862f6
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png
new file mode 100644
index 0000000000..2f834e986c
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alert-page.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
index 06daaa6ea7..4dfdc73f8c 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
index 467c7a321e..f162f21b1b 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
new file mode 100644
index 0000000000..af1915fb0b
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png b/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
new file mode 100644
index 0000000000..3df0eccc18
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png b/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
index 2968bc4cbb..1dd7f28817 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png and b/windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
index e91eb539fa..3d9b39c0f9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index fbb2de4176..c9063c8fa9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
index a1e3309e81..da80abb64f 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
index b58b0f29b0..eccd6e9aec 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png
new file mode 100644
index 0000000000..e2a484f610
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png
new file mode 100644
index 0000000000..b34e915132
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png
new file mode 100644
index 0000000000..7a735cb861
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png
new file mode 100644
index 0000000000..7033649791
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png
new file mode 100644
index 0000000000..baeae0dd38
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping4.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png
new file mode 100644
index 0000000000..405fbaf384
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping5.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png
new file mode 100644
index 0000000000..2681a11815
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping6.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png
new file mode 100644
index 0000000000..e46a8edac4
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-mapping7.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png
new file mode 100644
index 0000000000..c59c3c04c0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png
new file mode 100644
index 0000000000..7aa79c89b8
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png
new file mode 100644
index 0000000000..b1521c7567
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png
new file mode 100644
index 0000000000..8dcfa06ea0
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png
new file mode 100644
index 0000000000..ebc702179f
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
index 200437ab22..1d852999b9 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png differ
diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index e456a18096..c621085545 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
 title: Investigate Windows Defender Advanced Threat Protection alerts
-description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
+description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
 keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -15,30 +15,35 @@ localizationpriority: high
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.  
+Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
+
+![Image of the alert page](images/atp-alert-details.png)
+
+
+The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
+
+For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
+
+The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
 
 You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
 
 Alerts attributed to an adversary or actor display a colored tile with the actor's name.
 
-![A detailed view of an alert when clicked](images/alert-details.png)
+![A detailed view of an alert when clicked](images/atp-actor-alert.png)
 
 Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
 
 Some actor profiles include a link to download a more comprehensive threat intelligence report.
 
-![Image of detailed actor profile](images/atp-actor-report.png)
+![Image of detailed actor profile](images/atp-detailed-actor.png)
 
 The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
 
 ## Alert process tree
-The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
+The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
 
 ![Image of the alert process tree](images/atp-alert-process-tree.png)
 
@@ -46,11 +51,15 @@ The **Alert process tree** expands to display the execution path of the alert, i
 
 The alert and related events or evidence have circles with thunderbolt icons inside them.
 
+
 >[!NOTE]
 >The alert process tree might not be available in some alerts.
 
-Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page –  while remaining on the alert page, so you never leave the current context of your investigation.  
+Clicking in the circle immediately to the left of the indicator displays its details.
 
+![Image of the alert details pane](images/atp-alert-mgt-pane.png)
+
+The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page –  while remaining on the alert page, so you never leave the current context of your investigation.  
 
 
 ## Incident graph
@@ -58,9 +67,7 @@ The **Incident Graph**  provides a visual representation of the organizational f
 
 ![Image of the Incident graph](images/atp-incident-graph.png)
 
-The **Incident Graph**  previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
-
-The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
+The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
 
 The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
 
diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 1fc73cb046..435dc1a3c2 100644
--- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -15,10 +15,6 @@ localizationpriority: high
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 ## Investigate machines
@@ -55,7 +51,9 @@ You'll also see details such as logon types for each user account, the user grou
 
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
-The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
+The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
+
+This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
 
 You can also choose to highlight an alert from the **Alerts related to this machine** or from the  **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.
 
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-home.png b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png
new file mode 100644
index 0000000000..601b2a32b8
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-home.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png
new file mode 100644
index 0000000000..e3d744df4c
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png
new file mode 100644
index 0000000000..a35daeb1f4
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
new file mode 100644
index 0000000000..eec35c6dcf
Binary files /dev/null and b/windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png differ
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
new file mode 100644
index 0000000000..f8376c934c
--- /dev/null
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -0,0 +1,119 @@
+---
+title: Windows Defender Security Center 
+description: The Windows Defender Security Center brings together common Windows security features into one place
+keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+
+
+
+# The Windows Defender Security Center
+
+**Applies to**
+
+- Windows 10, version 1703
+
+
+
+
+In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
+
+
+
+
+![Screen shot of the Windows Defender Security Center showing that the device is protected and five icons for each of the features](images/security-center-home.png)
+
+
+
+
+Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703.
+
+The app includes the settings and status for the following security features:
+
+- Virus & threat protection, including settings for Windows Defender Antivirus
+- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
+- Firewall & network protection, including Windows Firewall
+- App & browser control, covering Windows Defender SmartScreen settings
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+
+
+
+The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device. 
+
+> [!IMPORTANT] 
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
+
+> [!WARNING] 
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. 
+>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed. 
+>This will significantly lower the protection of your device and could lead to malware infection.
+
+
+## Open the Windows Defender Security Center
+- Right-click the icon in the notification area on the taskbar and click **Open**.
+
+    ![Screen shot of the Shield icon for the Windows Defender Security Center in the bottom Windows task bar](images/security-center-taskbar.png)
+- Search the Start menu for **Windows Defender Security Center**.
+
+    ![Screen shot of the Start menu showing the results of a search for Windows Defender Security Center, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
+
+
+> [!NOTE]
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
+
+## How the Windows Defender Security Center works with Windows security features
+
+
+
+
+The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. 
+
+It acts as a collector or single place to see the status and perform some configuration for each of the features.
+
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
+
+> [!IMPORTANT] 
+> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
+
+For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
+
+The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
+
+
+
+## More information
+
+See the following links for more information on the features in the Windows Defender Security Center:
+- Windows Defender Antivirus
+    - IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+    - Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)
+- Device performance & health
+    - It administrators and IT pros can [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers), and learn how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager)
+    - Home users can learn more at the [Track your device and performance health in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012986/windows-defender-track-your-device-performance-health)
+- Windows Firewall
+    - IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security)
+    - Home users can learn more at the [Firewall & network protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012988/windows-10-firewall-network-protection-windows-defender-security-center)
+- Windows Defender SmartScreen
+    - IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
+    - Home users can learn more at the [App & browser control in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013218/windows-10-app-browser-control-in-windows-defender)
+- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
+    - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+
+
+
+>[!NOTE]
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+
+
+
+