From 6d8fb7b428d5db6fbfefcf2ce3b8005d89e0f2b4 Mon Sep 17 00:00:00 2001
From: Nicholas Brower <nibr@microsoft.com>
Date: Tue, 29 Aug 2017 17:43:29 +0000
Subject: [PATCH 1/3] Merged PR 2912: add missing automation tag; and fix a few
 sku supports

---
 .../mdm/policy-configuration-service-provider.md            | 6 ++----
 windows/client-management/mdm/policy-csp-browser.md         | 1 +
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 750dc3fc1a..cf20c306d2 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3365,7 +3365,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)  
 -   [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)  
 -   [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)  
--   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) 
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3374,7 +3373,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)  
 -   [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
@@ -3420,7 +3418,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Experience/AllowCortana](#experience-allowcortana)  
 -   [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)  
 -   [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)  
--   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) 
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3429,7 +3426,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
--   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)  
 -   [Security/RequireDeviceEncryption](#security-requiredeviceencryption)  
 -   [Settings/AllowDateTime](#settings-allowdatetime)  
@@ -3520,6 +3516,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)  
 -   [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)  
 -   [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)  
+-   [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)  
 -   [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)  
 -   [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)  
@@ -3528,6 +3525,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)  
 -   [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)  
 -   [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)  
+-   [Privacy/PublishUserActivities](#privacy-publishuseractivities)  
 -   [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)  
 -   [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)  
 -   [System/AllowFontProviders](#system-allowfontproviders)  
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 687dbaf959..263cff9d57 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1314,6 +1314,7 @@ Employees cannot remove these search engines, but they can set any one as the de
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.
 
 <!--EndDescription-->
+<!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**  
 

From 0b44189a7c99ff7c78ab92e83e675e60b8b08957 Mon Sep 17 00:00:00 2001
From: Maricia Alforque <maricia@microsoft.com>
Date: Tue, 29 Aug 2017 19:27:24 +0000
Subject: [PATCH 2/3] Merged PR 2938: Updated ExploitGuard and Browser policies
 in Policy CSP

---
 .../mdm/policy-csp-browser.md                 |  4 +--
 .../mdm/policy-csp-exploitguard.md            | 29 +++++++++++++++++--
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 263cff9d57..edd167f211 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -1041,7 +1041,7 @@ Employees cannot remove these search engines, but they can set any one as the de
 
 <p style="margin-left: 20px">If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
 
-<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.
+<p style="margin-left: 20px">Data type is integer.
 
 <!--EndDescription-->
 <!--EndPolicy-->
@@ -1311,7 +1311,7 @@ Employees cannot remove these search engines, but they can set any one as the de
 
 <p style="margin-left: 20px">If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
 
-<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.
+<p style="margin-left: 20px">Data type is string. 
 
 <!--EndDescription-->
 <!--EndPolicy-->
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index cf06c60c3e..d1dc5d3933 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 08/11/2017
+ms.date: 08/29/2017
 ---
 
 # Policy CSP - ExploitGuard
@@ -41,10 +41,35 @@ ms.date: 08/11/2017
 
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML.
+<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
 
 <p style="margin-left: 20px">The system settings require a reboot; the application settings do not require a reboot.
 
+<p style="margin-left: 20px">Here is an example:
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.1">
+  <SyncBody>
+    <Replace>
+      <CmdID>$CmdId$</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+       </Meta>
+        <Target>
+          <LocURI>./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings</LocURI>
+        </Target>
+        <Data><![CDATA[<?xml version="1.0" encoding="UTF-8"?><MitigationPolicy><SystemConfig><SEHOP Audit="true" /></SystemConfig><AppConfig Executable="iexplore.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="wordpad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true"  /><ChildProcess  Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="notepad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="outlook.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="winword.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="excel.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="powerpnt.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="AcroRd32.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="Acrobat.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="fltldr.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="RuntimeBroker.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="SearchIndexer.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="java.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaws.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaw.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="EpSelfhostV1.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig></MitigationPolicy>]]></Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+
+```
+
 <!--EndDescription-->
 <!--EndPolicy-->
 <hr/>

From a07bcceb57c58b4c2d6dd6dca7628de47db6011d Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Tue, 29 Aug 2017 19:49:35 +0000
Subject: [PATCH 3/3] Merged PR 2929: Update prereqs for Skype for Business
 Online

---
 ...hybrid-deployment-surface-hub-device-accounts.md | 13 +++----------
 ...online-deployment-surface-hub-device-accounts.md |  7 ++-----
 2 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index 91ea69d286..41b4b78342 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -114,6 +114,7 @@ Use this procedure if you use Exchange on-prem.
 
 Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-prem](#skype-for-business-on-prem), or [Skype for Business hybrid](#skype-for-business-hybrid).
 
+<span id="sfb-online"/>
 ### Skype for Business Online
 
 To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
@@ -309,18 +310,10 @@ Use this procedure if you use Exchange online.
 
 Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-prem](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
 
-<span id="sfb-online"/>
+
 ### Skype for Business Online    
     
-In order to enable Skype for Business, your environment will need to meet the following prerequisites:
-
-- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    
-- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
-    
-- Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
-    
-- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
+In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online).
 
 1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
 
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 146dddaaa1..91423ffc82 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -83,11 +83,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
     Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
     ```
 
-7.  Surface Hub requires a license for Skype for Business functionality.
-    - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
-    - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
-    - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).    
-
+7.  Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
+   
     Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
 
     Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).