diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 8a8c061684..8f10c8e96a 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,6 +1,11 @@
{
"redirections": [
{
+"source_path": "windows/device-security/windows-security-baselines.md",
+"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
+"redirect_document_id": false
+},
+{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": true
diff --git a/education/index.md b/education/index.md
index 0bb10155b3..95fdcd0939 100644
--- a/education/index.md
+++ b/education/index.md
@@ -207,6 +207,25 @@ author: CelesteDG
+
+
+
+
+
+
+
+
+
+
+
+
Set up School PCs
+
Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.
+
+
+
+
+
+
+
+
+
+
+
+
+
Set up School PCs
+
Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.
+
+
+
+
 |
-  |
- |
- |
- |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
|
|
@@ -2044,6 +2047,34 @@ The following tables show the configuration service providers support in Windows
+
+[TPMPolicy CSP](tpmpolicy-csp.md)
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
@@ -2358,7 +2389,8 @@ The following tables show the configuration service providers support in Windows
Footnotes:
- 1 - Added in Windows 10, version 1607
-- 2 - Added in Windows 10, version 1703
+- 2 - Added in Windows 10, version 1703
+- 3 - Added in the next major update to Windows 10
> [!Note]
> You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 34913158a8..e621f09ad8 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -13,10 +13,12 @@ author: nickbrower
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
+For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
+
The following diagram shows the Firewall configuration service provider in tree format.
diff --git a/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png
new file mode 100644
index 0000000000..8950a1614d
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 9992411f6a..96d9601963 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -14,6 +14,8 @@ author: nickbrower
# What's new in MDM enrollment and management
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
@@ -892,6 +894,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
[Policy CSP](policy-configuration-service-provider.md)
+
+| [TPMPolicy CSP](tpmpolicy-csp.md) |
+New CSP added in Windows 10, version 1703. |
+
@@ -1180,7 +1186,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) |
Added a list of registry locations that ingested policies are allowed to write to. |
-
+
| [Firewall CSP](firewall-csp.md) |
Added the following nodes:
@@ -1191,6 +1197,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
- Status
Also Added [Firewall DDF file](firewall-ddf-file.md). |
+
+| [TPMPolicy CSP](tpmpolicy-csp.md) |
+New CSP added in Windows 10, version 1703. |
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 5b81c0026b..1fb89dc1e2 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -11587,6 +11587,13 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
+
+
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
No reboot or service restart is required for this policy to take effect.
@@ -15951,6 +15958,376 @@ ADMX Info:
- 0 – Not allowed.
- 1 (default) – Allowed.
+
+
+
+**Start/AllowPinnedFolderDocuments**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderFileExplorer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderHomeGroup**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderMusic**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderNetwork**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPersonalFolder**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPictures**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderVideos**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
@@ -15999,6 +16376,29 @@ ADMX Info:
**Start/HideAppList**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16024,6 +16424,29 @@ ADMX Info:
**Start/HideChangeAccountSettings**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
@@ -16042,6 +16465,29 @@ ADMX Info:
**Start/HideFrequentlyUsedApps**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16067,6 +16513,29 @@ ADMX Info:
**Start/HideHibernate**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
@@ -16088,6 +16557,29 @@ ADMX Info:
**Start/HideLock**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
@@ -16106,6 +16598,29 @@ ADMX Info:
**Start/HidePowerButton**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16127,6 +16642,29 @@ ADMX Info:
**Start/HideRecentJumplists**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16155,6 +16693,29 @@ ADMX Info:
**Start/HideRecentlyAddedApps**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16180,6 +16741,29 @@ ADMX Info:
**Start/HideRestart**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
@@ -16198,6 +16782,29 @@ ADMX Info:
**Start/HideShutDown**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
@@ -16216,6 +16823,29 @@ ADMX Info:
**Start/HideSignOut**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
@@ -16234,6 +16864,29 @@ ADMX Info:
**Start/HideSleep**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
@@ -16252,6 +16905,29 @@ ADMX Info:
**Start/HideSwitchAccount**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
@@ -16270,6 +16946,29 @@ ADMX Info:
**Start/HideUserTile**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16292,6 +16991,29 @@ ADMX Info:
**Start/ImportEdgeAssets**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -16315,6 +17037,29 @@ ADMX Info:
**Start/NoPinningToTaskbar**
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ MobileEnterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
@@ -19410,81 +20155,251 @@ Footnote:
-## IoT Core Support
+## Policies Supported by IoT Core
-[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-[Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-[Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
-[Browser/AllowAutofill](#browser-allowautofill)
-[Browser/AllowBrowser](#browser-allowbrowser)
-[Browser/AllowCookies](#browser-allowcookies)
-[Browser/AllowDoNotTrack](#browser-allowdonottrack)
-[Browser/AllowInPrivate](#browser-allowinprivate)
-[Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-[Browser/AllowPopups](#browser-allowpopups)
-[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
-[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
-[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
-[Camera/AllowCamera](#camera-allowcamera)
-[Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-[Connectivity/AllowNFC](#connectivity-allownfc)
-[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
-[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
-[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
-[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
-[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
-[Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
-[System/AllowEmbeddedMode](#system-allowembeddedmode)
-[System/AllowStorageCard](#system-allowstoragecard)
-[System/TelemetryProxy](#system-telemetryproxy)
-[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
-[Update/AllowUpdateService](#update-allowupdateservice)
-[Update/PauseDeferrals](#update-pausedeferrals)
-[Update/RequireDeferUpgrade](#update-requiredeferupgrade)
-[Update/RequireUpdateApproval](#update-requireupdateapproval)
-[Update/ScheduledInstallDay](#update-scheduledinstallday)
-[Update/ScheduledInstallTime](#update-scheduledinstalltime)
-[Update/UpdateServiceUrl](#update-updateserviceurl)
-[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
-[Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-[Wifi/AllowWiFi](#wifi-allowwifi)
-[Wifi/WLANScanMode](#wifi-wlanscanmode)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+- [Browser/AllowAutofill](#browser-allowautofill)
+- [Browser/AllowBrowser](#browser-allowbrowser)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowInPrivate](#browser-allowinprivate)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
+- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
+- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowNFC](#connectivity-allownfc)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
+- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
+- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [System/AllowEmbeddedMode](#system-allowembeddedmode)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/PauseDeferrals](#update-pausedeferrals)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
+- [Wifi/WLANScanMode](#wifi-wlanscanmode)
+
+## Policies supported by Windows Holographic for Business
+
+- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Settings/AllowDateTime](#settings-allowdatetime)
+- [Settings/AllowVPN](#settings-allowvpn)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+
+
+
+## Policies supported by Microsoft Surface Hub
+
+- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
+- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
+- [Browser/HomePages](#browser-homepages)
+- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [ConfigOperations/ADMXInstall](#configoperations-admxinstall)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
+- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
+- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
+- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](#defender-excludedextensions)
+- [Defender/ExcludedPaths](#defender-excludedpaths)
+- [Defender/ExcludedProcesses](#defender-excludedprocesses)
+- [Defender/PUAProtection](#defender-puaprotection)
+- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
+- [Defender/ScanParameter](#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](#defender-schedulescanday)
+- [Defender/ScheduleScanTime](#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [TextInput/AllowIMELogging](#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)
+- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)
+- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
+- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+- [Update/DetectionFrequency](#update-detectionfrequency)
+- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](#update-pausequalityupdates)
+- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
+- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
+
+
-## Can be set using Exchange Active Sync (EAS)
+## Policies that can be set using Exchange Active Sync (EAS)
-[Browser/AllowBrowser](#browser-allowbrowser)
-[Camera/AllowCamera](#camera-allowcamera)
-[Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
-[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-[Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-[System/AllowStorageCard](#system-allowstoragecard)
-[System/TelemetryProxy](#system-telemetryproxy)
-[Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
-[Wifi/AllowWiFi](#wifi-allowwifi)
+- [Browser/AllowBrowser](#browser-allowbrowser)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
-
-
## Examples
Set the minimum password length to 4 characters.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
new file mode 100644
index 0000000000..239e679672
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -0,0 +1,55 @@
+---
+title: TPMPolicy CSP
+description: TPMPolicy CSP
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+
+The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The following diagram shows the TPMPolicy configuration service provider in tree format.
+
+
+
+**./Device/Vendor/MSFT/TPMPolicy**
+
Defines the root node.
+
+**IsActiveZeroExhaust**
+Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
+
+
+- There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
+- There should be no traffic during installation of Windows and first logon when local ID is used.
+- Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
+- Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
+
+
+Here is an example:
+
+``` syntax
+
+ 101
+ -
+
+
+ ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
+
+
+
+ bool
+ text/plain
+
+ true
+
+
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
new file mode 100644
index 0000000000..35a90ff87b
--- /dev/null
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -0,0 +1,71 @@
+---
+title: TPMPolicy DDF file
+description: TPMPolicy DDF file
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# TPMPolicy DDF file
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
+
+The XML below is the current version for this CSP.
+
+``` syntax
+
+]>
+
+ 1.2
+
+ TPMPolicy
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.0/MDM/TPMPolicy
+
+
+
+ IsActiveZeroExhaust
+
+
+
+
+
+ False
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md
deleted file mode 100644
index f62ee298ba..0000000000
--- a/windows/device-security/windows-security-baselines.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Windows security baselines (Windows 10)
-description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
-author: brianlic-msft
----
-
-# Windows security baselines
-
-**Applies to**
-
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-
-Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
-
-We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
-
- > [!NOTE]
- > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
-
-## What are security baselines?
-
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-
-A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
-customers.
-
-## Why are security baselines needed?
-
-Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
-
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
-
-In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
-
-To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
-
-## How can you use security baselines?
-
- You can use security baselines to:
-
- - Ensure that user and device configuration settings are compliant with the baseline.
- - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
-
-## Where can I get the security baselines?
-
- Here's a list of security baselines that are currently available.
-
- > [!NOTE]
- > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
-
-### Windows 10 security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- - [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
-
-### Windows Server security baselines
-
- - [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- - [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
-
-## How can I monitor security baseline deployments?
-
-Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
-
-You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.
-
\ No newline at end of file